The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Published 2022-07-18 07:15:08
Updated 2023-08-02 17:21:00
View at NVD,   CVE.org

Products affected by CVE-2022-33891

CVE-2022-33891 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Apache Spark Command Injection Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.
Notes:
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc; https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Added on 2023-03-07 Action due date 2023-03-28

Exploit prediction scoring system (EPSS) score for CVE-2022-33891

97.29%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-33891

  • Apache Spark Unauthenticated Command Injection RCE
    Disclosure Date: 2022-07-18
    First seen: 2022-12-23
    exploit/linux/http/apache_spark_rce_cve_2022_33891
    This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of

CVSS scores for CVE-2022-33891

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
8.8
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST

CWE ids for CVE-2022-33891

References for CVE-2022-33891

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!