Apache Spark: Shell command injection via Spark UI
CVE-2023-32007

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Spark
Vendor: CVE Published:; 2 May 2023

Summary

The Apache Spark UI possesses an access control vulnerability where the configuration option spark.acls.enable can be manipulated to allow arbitrary user impersonation. When enabled, a malicious actor could exploit a flaw in the HttpSecurityFilter, potentially gaining unauthorized access to execute shell commands as the user running Spark. This vulnerability affects specific, unsupported versions of Apache Spark and poses a serious risk for organizations still using these outdated versions. Users are strongly advised to upgrade to version 3.4.0 or above to mitigate this risk.

Affected Version(s)

Apache Spark 3.1.1 < 3.2.2

References

https://www.cve.org/CVERecord?id=CVE-2022-33891

https://spark.apache.org/security.html

vendor-advisory

https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 2, 2023
Vulnerability Reserved
May 1, 2023

Credit

Sven Krewitt, Flashpoint