Vulnerability Details : CVE-2022-33891
Public exploit exists!
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Products affected by CVE-2022-33891
- cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
CVE-2022-33891 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Apache Spark Command Injection Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.
Notes:
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc; https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Added on
2023-03-07
Action due date
2023-03-28
Exploit prediction scoring system (EPSS) score for CVE-2022-33891
97.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-33891
-
Apache Spark Unauthenticated Command Injection RCE
Disclosure Date: 2022-07-18First seen: 2022-12-23exploit/linux/http/apache_spark_rce_cve_2022_33891This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of
CVSS scores for CVE-2022-33891
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2022-33891
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Secondary)
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Primary)
References for CVE-2022-33891
-
http://www.openwall.com/lists/oss-security/2023/05/02/1
oss-security - CVE-2023-32007: Apache Spark: Shell command injection via Spark UIMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
Apache Spark Unauthenticated Command Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI-Apache Mail ArchivesMailing List;Third Party Advisory
Jump to