Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-33891 (GCVE-0-2022-33891)
Vulnerability from cvelistv5 – Published: 2022-07-18 00:00 – Updated: 2025-10-21 23:15
VLAI
EPSS
CISA KEV
Title
Apache Spark shell command injection vulnerability via Spark UI
Summary
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Severity
No CVSS data available.
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Spark |
Affected:
3.0.3 and earlier , ≤ 3.0.3
(custom)
Affected: 3.1.1 to 3.1.2 , ≤ 3.1.2 (custom) Affected: 3.2.0 to 3.2.1 , ≤ 3.2.1 (custom) |
Credits
Kostya Kortchinsky (Databricks)
CISA KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: a7d834dd-efbf-4d2d-ac58-7b8b6df8de68
Exploited: Yes
Timestamps
First Seen: 2023-03-07
Asserted: 2023-03-07
Scope
Notes: KEV entry: Apache Spark Command Injection Vulnerability | Affected: Apache / Spark | Description: Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. | Required action: Apply updates per vendor instructions. | Due date: 2023-03-28 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc; https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-78 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | Spark |
| Due Date | 2023-03-28 |
| Date Added | 2023-03-07 |
| Vendorproject | Apache |
| Vulnerabilityname | Apache Spark Command Injection Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Created: 2026-02-02 12:27 UTC
| Updated: 2026-02-06 07:17 UTC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:09:22.687Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"name": "[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-33891",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:13:50.936095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-03-07",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:38.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-03-07T00:00:00.000Z",
"value": "CVE-2022-33891 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.0.3",
"status": "affected",
"version": "3.0.3 and earlier",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "3.1.1 to 3.1.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "3.2.0 to 3.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kostya Kortchinsky (Databricks)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T08:13:36.397Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"name": "[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
],
"source": {
"defect": [
"SPARK-38992"
],
"discovery": "UNKNOWN"
},
"title": "Apache Spark shell command injection vulnerability via Spark UI",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to supported Apache Spark maintenance release 3.1.3, 3.2.2, or 3.3.0 or later"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-33891",
"datePublished": "2022-07-18T00:00:00.000Z",
"dateReserved": "2022-06-17T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:38.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2022-33891",
"cwes": "[\"CWE-78\"]",
"dateAdded": "2023-03-07",
"dueDate": "2023-03-28",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc; https://nvd.nist.gov/vuln/detail/CVE-2022-33891",
"product": "Spark",
"requiredAction": "Apply updates per vendor instructions.",
"shortDescription": "Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.",
"vendorProject": "Apache",
"vulnerabilityName": "Apache Spark Command Injection Vulnerability"
},
"epss": {
"cve": "CVE-2022-33891",
"date": "2026-05-27",
"epss": "0.93513",
"percentile": "0.99833"
},
"fkie_nvd": {
"cisaActionDue": "2023-03-28",
"cisaExploitAdd": "2023-03-07",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Apache Spark Command Injection Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.0.3\", \"matchCriteriaId\": \"4DC23EB9-9F4E-40BF-B048-51D8DE194C6A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.1.1\", \"versionEndIncluding\": \"3.1.2\", \"matchCriteriaId\": \"719242D7-9E8B-4EBE-A3E6-B4DC77E6F3D9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.2.0\", \"versionEndIncluding\": \"3.2.1\", \"matchCriteriaId\": \"48E12AD0-1B58-4786-B28C-C661B3932736\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.\"}, {\"lang\": \"es\", \"value\": \"La interfaz de usuario de Apache Spark ofrece la posibilidad de habilitar ACLs por medio de la opci\\u00f3n de configuraci\\u00f3n spark.acls.enable. Con un filtro de autenticaci\\u00f3n, es comprobado si un usuario presenta permisos de acceso para ver o modificar la aplicaci\\u00f3n. Si las ACLs est\\u00e1n habilitadas, una ruta de c\\u00f3digo en HttpSecurityFilter puede permitir que alguien lleve a cabo una suplantaci\\u00f3n de identidad proporcionando un nombre de usuario arbitrario. Un usuario malicioso podr\\u00eda entonces ser capaz de llegar a una funci\\u00f3n de comprobaci\\u00f3n de permisos que finalmente construir\\u00e1 un comando de shell Unix basado en su entrada, y lo ejecutar\\u00e1. Esto resultar\\u00e1 en la ejecuci\\u00f3n de un comando shell arbitrario como el usuario con el que Spark se est\\u00e1 ejecutando actualmente. Esto afecta a las versiones de Apache Spark 3.0.3 y anteriores, a las versiones 3.1.1 a 3.1.2 y a las versiones 3.2.0 a 3.2.1\"}]",
"id": "CVE-2022-33891",
"lastModified": "2024-11-21T07:08:32.510",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2022-07-18T07:15:07.600",
"references": "[{\"url\": \"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html\", \"source\": \"security@apache.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/05/02/1\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/05/02/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-33891\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-07-18T07:15:07.600\",\"lastModified\":\"2025-10-23T14:48:51.083\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.\"},{\"lang\":\"es\",\"value\":\"La interfaz de usuario de Apache Spark ofrece la posibilidad de habilitar ACLs por medio de la opci\u00f3n de configuraci\u00f3n spark.acls.enable. Con un filtro de autenticaci\u00f3n, es comprobado si un usuario presenta permisos de acceso para ver o modificar la aplicaci\u00f3n. Si las ACLs est\u00e1n habilitadas, una ruta de c\u00f3digo en HttpSecurityFilter puede permitir que alguien lleve a cabo una suplantaci\u00f3n de identidad proporcionando un nombre de usuario arbitrario. Un usuario malicioso podr\u00eda entonces ser capaz de llegar a una funci\u00f3n de comprobaci\u00f3n de permisos que finalmente construir\u00e1 un comando de shell Unix basado en su entrada, y lo ejecutar\u00e1. Esto resultar\u00e1 en la ejecuci\u00f3n de un comando shell arbitrario como el usuario con el que Spark se est\u00e1 ejecutando actualmente. Esto afecta a las versiones de Apache Spark 3.0.3 y anteriores, a las versiones 3.1.1 a 3.1.2 y a las versiones 3.2.0 a 3.2.1\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2023-03-07\",\"cisaActionDue\":\"2023-03-28\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Apache Spark Command Injection Vulnerability\",\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.0.3\",\"matchCriteriaId\":\"4DC23EB9-9F4E-40BF-B048-51D8DE194C6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1.1\",\"versionEndIncluding\":\"3.1.2\",\"matchCriteriaId\":\"719242D7-9E8B-4EBE-A3E6-B4DC77E6F3D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.2.0\",\"versionEndIncluding\":\"3.2.1\",\"matchCriteriaId\":\"48E12AD0-1B58-4786-B28C-C661B3932736\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html\",\"source\":\"security@apache.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/05/02/1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/05/02/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/05/02/1\", \"name\": \"[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI\", \"tags\": [\"mailing-list\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T08:09:22.687Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-33891\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T14:13:50.936095Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2023-03-07\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-03-07T00:00:00+00:00\", \"value\": \"CVE-2022-33891 added to CISA KEV\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T14:13:38.180Z\"}}], \"cna\": {\"title\": \"Apache Spark shell command injection vulnerability via Spark UI\", \"source\": {\"defect\": [\"SPARK-38992\"], \"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \" Kostya Kortchinsky (Databricks)\"}], \"metrics\": [{\"other\": {\"type\": \"unknown\", \"content\": {\"other\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Spark\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.3 and earlier\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.0.3\"}, {\"status\": \"affected\", \"version\": \"3.1.1 to 3.1.2\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.1.2\"}, {\"status\": \"affected\", \"version\": \"3.2.0 to 3.2.1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.2.1\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\"}, {\"url\": \"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/05/02/1\", \"name\": \"[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI\", \"tags\": [\"mailing-list\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Upgrade to supported Apache Spark maintenance release 3.1.3, 3.2.2, or 3.3.0 or later\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2023-07-25T08:13:36.397Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-33891\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T18:45:28.463Z\", \"dateReserved\": \"2022-06-17T00:00:00.000Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2022-07-18T00:00:00.000Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
BDU:2022-04514
Vulnerability from fstec - Published: 18.07.2022
VLAI
Title
Уязвимость интерфейса фреймворка Apache Spark, позволяющая нарушителю выполнить произвольную команду
Description
Уязвимость интерфейса фреймворка Apache Spark связана с недостаточной проверкой аргументов, передаваемых в команду. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольную команду
Severity
Vendor
Apache Software Foundation
Software Name
Spark
Software Version
от 3.1.0 до 3.1.3 (Spark), от 3.2.0 до 3.2.2 (Spark), до 3.3.0 (Spark)
Possible Mitigations
Использование рекомендаций:
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
Reference
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
https://vuldb.com/ru/?id.204086
http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
CWE
CWE-77
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Apache Software Foundation",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 3.1.0 \u0434\u043e 3.1.3 (Spark), \u043e\u0442 3.2.0 \u0434\u043e 3.2.2 (Spark), \u0434\u043e 3.3.0 (Spark)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "18.07.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.09.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "20.07.2022",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-04514",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-33891",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Spark",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 Apache Spark, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0447\u0438\u0441\u0442\u043a\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u043d\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0449\u0435\u043c \u0443\u0440\u043e\u0432\u043d\u0435 (\u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0443) (CWE-77)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 Apache Spark \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432, \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0435\u043c\u044b\u0445 \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0443. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\nhttps://vuldb.com/ru/?id.204086\nhttp://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-77",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,3)"
}
bit-spark-2022-33891
Vulnerability from bitnami_vulndb
Published
2024-03-06 11:05
Modified
2025-10-22 09:08
Summary
Apache Spark shell command injection vulnerability via Spark UI
Details
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "spark",
"purl": "pkg:bitnami/spark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.4"
},
{
"introduced": "3.1.1"
},
{
"fixed": "3.1.3"
},
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.2"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-33891"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
"id": "BIT-spark-2022-33891",
"modified": "2025-10-22T09:08:25.162Z",
"published": "2024-03-06T11:05:29.361Z",
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33891"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"
}
],
"schema_version": "1.5.0",
"summary": "Apache Spark shell command injection vulnerability via Spark UI"
}
CNVD-2022-52835
Vulnerability from cnvd - Published: 2022-07-19
VLAI
Title
Apache Spark命令注入漏洞
Description
Apache Spark是美国阿帕奇(Apache)基金会的一款支持非循环数据流和内存计算的大规模数据处理引擎。
Apache Spark存在命令注入漏洞,攻击者可利用漏洞导致任意shell命令执行,因为用户Spark当前正在运行。
Severity
高
Patch Name
Apache Spark命令注入漏洞的补丁
Patch Description
Apache Spark是美国阿帕奇(Apache)基金会的一款支持非循环数据流和内存计算的大规模数据处理引擎。
Apache Spark存在命令注入漏洞,攻击者可利用漏洞导致任意shell命令执行,因为用户Spark当前正在运行。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
用户可参考如下供应商提供的安全公告获得补丁信息: https://spark.apache.org/security.html
Reference
https://spark.apache.org/security.html
Impacted products
| Name | ['Apache Spark ≤ 3.0.3', 'Apache Spark >=3.1.1,<=3.1.2', 'Apache Spark >=3.2.0,<=3.2.1'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-33891"
}
},
"description": "Apache Spark\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u652f\u6301\u975e\u5faa\u73af\u6570\u636e\u6d41\u548c\u5185\u5b58\u8ba1\u7b97\u7684\u5927\u89c4\u6a21\u6570\u636e\u5904\u7406\u5f15\u64ce\u3002\n\nApache Spark\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610fshell\u547d\u4ee4\u6267\u884c\uff0c\u56e0\u4e3a\u7528\u6237Spark\u5f53\u524d\u6b63\u5728\u8fd0\u884c\u3002",
"formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://spark.apache.org/security.html",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-52835",
"openTime": "2022-07-19",
"patchDescription": "Apache Spark\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u652f\u6301\u975e\u5faa\u73af\u6570\u636e\u6d41\u548c\u5185\u5b58\u8ba1\u7b97\u7684\u5927\u89c4\u6a21\u6570\u636e\u5904\u7406\u5f15\u64ce\u3002\r\n\r\nApache Spark\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610fshell\u547d\u4ee4\u6267\u884c\uff0c\u56e0\u4e3a\u7528\u6237Spark\u5f53\u524d\u6b63\u5728\u8fd0\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apache Spark\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Apache Spark \u2264 3.0.3",
"Apache Spark \u003e=3.1.1\uff0c\u003c=3.1.2",
"Apache Spark \u003e=3.2.0\uff0c\u003c=3.2.1"
]
},
"referenceLink": "https://spark.apache.org/security.html",
"serverity": "\u9ad8",
"submitTime": "2022-07-18",
"title": "Apache Spark\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}
FKIE_CVE-2022-33891
Vulnerability from fkie_nvd - Published: 2022-07-18 07:15 - Updated: 2025-10-23 14:48
Severity
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/05/02/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/05/02/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc | Mailing List, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891 | Third Party Advisory, US Government Resource |
{
"cisaActionDue": "2023-03-28",
"cisaExploitAdd": "2023-03-07",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Apache Spark Command Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC23EB9-9F4E-40BF-B048-51D8DE194C6A",
"versionEndIncluding": "3.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "719242D7-9E8B-4EBE-A3E6-B4DC77E6F3D9",
"versionEndIncluding": "3.1.2",
"versionStartIncluding": "3.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48E12AD0-1B58-4786-B28C-C661B3932736",
"versionEndIncluding": "3.2.1",
"versionStartIncluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1."
},
{
"lang": "es",
"value": "La interfaz de usuario de Apache Spark ofrece la posibilidad de habilitar ACLs por medio de la opci\u00f3n de configuraci\u00f3n spark.acls.enable. Con un filtro de autenticaci\u00f3n, es comprobado si un usuario presenta permisos de acceso para ver o modificar la aplicaci\u00f3n. Si las ACLs est\u00e1n habilitadas, una ruta de c\u00f3digo en HttpSecurityFilter puede permitir que alguien lleve a cabo una suplantaci\u00f3n de identidad proporcionando un nombre de usuario arbitrario. Un usuario malicioso podr\u00eda entonces ser capaz de llegar a una funci\u00f3n de comprobaci\u00f3n de permisos que finalmente construir\u00e1 un comando de shell Unix basado en su entrada, y lo ejecutar\u00e1. Esto resultar\u00e1 en la ejecuci\u00f3n de un comando shell arbitrario como el usuario con el que Spark se est\u00e1 ejecutando actualmente. Esto afecta a las versiones de Apache Spark 3.0.3 y anteriores, a las versiones 3.1.1 a 3.1.2 y a las versiones 3.2.0 a 3.2.1"
}
],
"id": "CVE-2022-33891",
"lastModified": "2025-10-23T14:48:51.083",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-07-18T07:15:07.600",
"references": [
{
"source": "security@apache.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
GHSA-4X9R-J582-CGR8
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2025-10-22 19:19
VLAI
Summary
Apache Spark UI can allow impersonation if ACLs enabled
Details
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
A previous version of this advisory incorrectly stated that version 3.1.3 was not vulnerable. Per GHSA-59hw-j9g6-mfg3, version 3.1.3 is vulnerable and vulnerable version ranges in this advisory have been changed to reflect the correct information.
Severity
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.spark:spark-parent_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.spark:spark-parent_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.1"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pyspark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pyspark"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.1"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-33891"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-21T21:40:46Z",
"nvd_published_at": "2022-07-18T07:15:00Z",
"severity": "HIGH"
},
"details": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.\n\nA previous version of this advisory incorrectly stated that version 3.1.3 was not vulnerable. Per [GHSA-59hw-j9g6-mfg3](https://github.com/advisories/GHSA-59hw-j9g6-mfg3), version 3.1.3 is vulnerable and vulnerable version ranges in this advisory have been changed to reflect the correct information.",
"id": "GHSA-4x9r-j582-cgr8",
"modified": "2025-10-22T19:19:14Z",
"published": "2022-07-19T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33891"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/spark"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/05/02/1"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A",
"type": "CVSS_V4"
}
],
"summary": "Apache Spark UI can allow impersonation if ACLs enabled"
}
GSD-2022-33891
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-33891",
"description": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
"id": "GSD-2022-33891",
"references": [
"https://www.suse.com/security/cve/CVE-2022-33891.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-33891"
],
"details": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
"id": "GSD-2022-33891",
"modified": "2023-12-13T01:19:24.121951Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-33891",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.3 and earlier",
"version_value": "3.0.3"
},
{
"version_affected": "\u003c=",
"version_name": "3.1.1 to 3.1.2",
"version_value": "3.1.2"
},
{
"version_affected": "\u003c=",
"version_name": "3.2.0 to 3.2.1",
"version_value": "3.2.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credits": [
{
"lang": "en",
"value": " Kostya Kortchinsky (Databricks)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-78",
"lang": "eng",
"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"name": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"name": "http://www.openwall.com/lists/oss-security/2023/05/02/1",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
]
},
"source": {
"defect": [
"SPARK-38992"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to supported Apache Spark maintenance release 3.1.3, 3.2.2, or 3.3.0 or later"
}
]
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,3.0.3],[3.1.1,3.1.2],[3.2.0,3.2.1]",
"affected_versions": "All versions up to 3.0.3, all versions starting from 3.1.1 up to 3.1.2, all versions starting from 3.2.0 up to 3.2.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2023-08-02",
"description": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
"fixed_versions": [],
"identifier": "CVE-2022-33891",
"identifiers": [
"CVE-2022-33891"
],
"not_impacted": "",
"package_slug": "maven/org.apache.spark/spark-core",
"pubdate": "2022-07-18",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-33891",
"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
],
"uuid": "b0e66771-7828-406c-8f58-a662da5b0493"
},
{
"affected_range": "(,3.0.3],[3.1.1,3.2.2)",
"affected_versions": "All versions up to 3.0.3, all versions starting from 3.1.1 before 3.2.2",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-77",
"CWE-78",
"CWE-937"
],
"date": "2023-05-02",
"description": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
"fixed_versions": [
"3.2.2"
],
"identifier": "CVE-2022-33891",
"identifiers": [
"GHSA-4x9r-j582-cgr8",
"CVE-2022-33891"
],
"not_impacted": "All versions after 3.0.3 before 3.1.1, all versions starting from 3.2.2",
"package_slug": "maven/org.apache.spark/spark-parent_2.12",
"pubdate": "2022-07-19",
"solution": "Upgrade to version 3.2.2 or above.",
"title": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-33891",
"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc",
"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml",
"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html",
"http://www.openwall.com/lists/oss-security/2023/05/02/1",
"https://github.com/advisories/GHSA-4x9r-j582-cgr8"
],
"uuid": "8d6a1faf-7ee3-4ce4-a65c-a70ccba2eabc"
},
{
"affected_range": "\u003c=3.0.3||\u003e=3.1.1,\u003c=3.1.2||\u003e=3.2.0,\u003c=3.2.1",
"affected_versions": "All versions up to 3.0.3, all versions starting from 3.1.1 up to 3.1.2, all versions starting from 3.2.0 up to 3.2.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2023-08-02",
"description": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
"fixed_versions": [
"3.1.3",
"3.2.2"
],
"identifier": "CVE-2022-33891",
"identifiers": [
"CVE-2022-33891"
],
"not_impacted": "All versions after 3.0.3 before 3.1.1, all versions after 3.1.2 before 3.2.0, all versions after 3.2.1",
"package_slug": "pypi/pyspark",
"pubdate": "2022-07-18",
"solution": "Upgrade to versions 3.1.3, 3.2.2 or above.",
"title": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-33891",
"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
],
"uuid": "9158dd7e-1681-4cb1-8d54-c8c898cc940d"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.0.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.2.1",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.1.2",
"versionStartIncluding": "3.1.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-33891"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"name": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"name": "[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-08-02T17:21Z",
"publishedDate": "2022-07-18T07:15Z"
}
}
}
PYSEC-2022-236
Vulnerability from pysec - Published: 2022-07-18 07:15 - Updated: 2022-07-25 14:38
VLAI
Details
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Impacted products
| Name | purl | pyspark | pkg:pypi/pyspark |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyspark",
"purl": "pkg:pypi/pyspark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.1"
},
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.2"
},
{
"introduced": "3.1.1"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.1",
"2.1.2",
"2.1.3",
"2.2.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.3.0",
"2.3.1",
"2.3.2",
"2.3.3",
"2.3.4",
"2.4.0",
"2.4.1",
"2.4.2",
"2.4.3",
"2.4.4",
"2.4.5",
"2.4.6",
"2.4.7",
"2.4.8",
"3.0.0",
"3.0.1",
"3.0.2",
"3.0.3",
"3.1.1",
"3.1.2",
"3.2.0",
"3.2.1"
]
}
],
"aliases": [
"CVE-2022-33891",
"GHSA-4x9r-j582-cgr8"
],
"details": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
"id": "PYSEC-2022-236",
"modified": "2022-07-25T14:38:46.692270Z",
"published": "2022-07-18T07:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4x9r-j582-cgr8"
}
]
}
SUSE-SU-2023:0070-1
Vulnerability from csaf_suse - Published: 2023-01-11 14:40 - Updated: 2023-01-11 14:40Summary
Security update for openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp
Severity
Important
Notes
Title of the patch: Security update for openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp
Description of the patch: This update for openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp fixes the following issues:
Security fixes included on this update:
openstack-barbican:
- CVE-2022-3100: Fixed an access policy bypass via query string injection (bsc#1203873).
spark:
- CVE-2022-33891: Fixed a command injection vulnerability via Spark UI (bsc#1204326).
Non Security fixes:
Changes in openstack-barbican:
- Add patch to address access policy bypass via query string injection.
(bsc#1203873, CVE-2022-3100.)
Changes in openstack-heat-gbp:
- Update to version group-based-policy-automation-14.0.1.dev5:
* Add support for zed
Changes in openstack-horizon-plugin-gbp-ui:
- Update to version group-based-policy-ui-14.0.1.dev6:
* Add support for zed
- Update to version group-based-policy-ui-14.0.1.dev5:
* fix launch instance GBP issue
Changes in openstack-neutron:
- Update to version neutron-13.0.8.dev209:
* Update documentation link for openSUSE index
- Update to version neutron-13.0.8.dev208:
* fix: Fix url of Floodlight
- Update to version neutron-13.0.8.dev207:
* Mellanox\_eth.img url expires, remove the mellanox\_eth.img node
Changes in openstack-neutron:
- Update to version neutron-13.0.8.dev209:
* Update documentation link for openSUSE index
- Update to version neutron-13.0.8.dev208:
* fix: Fix url of Floodlight
- Update to version neutron-13.0.8.dev207:
* Mellanox\_eth.img url expires, remove the mellanox\_eth.img node
Changes in openstack-neutron-gbp:
- Update to version group-based-policy-14.0.1.dev52:
* Fix keystone notification listener
- Update to version group-based-policy-14.0.1.dev51:
* Support for epg subnet
2014.2.0rc1
- Update to version group-based-policy-14.0.1.dev50:
* Use top-level contract references
2014.2.rc1
- Update to version group-based-policy-14.0.1.dev48:
* Remove py37 jobs from gate
2014.2rc1
Changes in spark:
- Avoid using bash -c in ShellBasedGroupsMappingProvider. (bsc#1204326, CVE-2022-33891)
- Add _constraints to prevent build from running out of disk space
- Update to version group-based-policy-14.0.1.dev47:
* Remove python39 from voting
Patchnames: SUSE-2023-70,SUSE-OpenStack-Cloud-9-2023-70,SUSE-OpenStack-Cloud-Crowbar-9-2023-70
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.1 (High)
Affected products
Recommended
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp fixes the following issues:\n\nSecurity fixes included on this update:\n\nopenstack-barbican:\n\n- CVE-2022-3100: Fixed an access policy bypass via query string injection (bsc#1203873).\n\nspark:\n\n- CVE-2022-33891: Fixed a command injection vulnerability via Spark UI (bsc#1204326).\n\n\nNon Security fixes:\n\nChanges in openstack-barbican:\n- Add patch to address access policy bypass via query string injection.\n (bsc#1203873, CVE-2022-3100.)\n\nChanges in openstack-heat-gbp:\n- Update to version group-based-policy-automation-14.0.1.dev5:\n * Add support for zed\n\nChanges in openstack-horizon-plugin-gbp-ui:\n- Update to version group-based-policy-ui-14.0.1.dev6:\n * Add support for zed\n\n- Update to version group-based-policy-ui-14.0.1.dev5:\n * fix launch instance GBP issue\n\nChanges in openstack-neutron:\n- Update to version neutron-13.0.8.dev209:\n * Update documentation link for openSUSE index\n\n- Update to version neutron-13.0.8.dev208:\n * fix: Fix url of Floodlight\n\n- Update to version neutron-13.0.8.dev207:\n * Mellanox\\_eth.img url expires, remove the mellanox\\_eth.img node\n\nChanges in openstack-neutron:\n- Update to version neutron-13.0.8.dev209:\n * Update documentation link for openSUSE index\n\n- Update to version neutron-13.0.8.dev208:\n * fix: Fix url of Floodlight\n\n- Update to version neutron-13.0.8.dev207:\n * Mellanox\\_eth.img url expires, remove the mellanox\\_eth.img node\n\nChanges in openstack-neutron-gbp:\n- Update to version group-based-policy-14.0.1.dev52:\n * Fix keystone notification listener\n\n- Update to version group-based-policy-14.0.1.dev51:\n * Support for epg subnet\n 2014.2.0rc1\n\n- Update to version group-based-policy-14.0.1.dev50:\n * Use top-level contract references\n 2014.2.rc1\n\n- Update to version group-based-policy-14.0.1.dev48:\n * Remove py37 jobs from gate\n 2014.2rc1\n\nChanges in spark:\n- Avoid using bash -c in ShellBasedGroupsMappingProvider. (bsc#1204326, CVE-2022-33891)\n\n- Add _constraints to prevent build from running out of disk space\n\n- Update to version group-based-policy-14.0.1.dev47:\n * Remove python39 from voting\n\n ",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-70,SUSE-OpenStack-Cloud-9-2023-70,SUSE-OpenStack-Cloud-Crowbar-9-2023-70",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_0070-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:0070-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20230070-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:0070-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-January/013456.html"
},
{
"category": "self",
"summary": "SUSE Bug 1203873",
"url": "https://bugzilla.suse.com/1203873"
},
{
"category": "self",
"summary": "SUSE Bug 1204326",
"url": "https://bugzilla.suse.com/1204326"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-3100 page",
"url": "https://www.suse.com/security/cve/CVE-2022-3100/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-33891 page",
"url": "https://www.suse.com/security/cve/CVE-2022-33891/"
}
],
"title": "Security update for openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp",
"tracking": {
"current_release_date": "2023-01-11T14:40:56Z",
"generator": {
"date": "2023-01-11T14:40:56Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:0070-1",
"initial_release_date": "2023-01-11T14:40:56Z",
"revision_history": [
{
"date": "2023-01-11T14:40:56Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"product": {
"name": "openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"product_id": "openstack-barbican-7.0.1~dev24-3.17.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"product": {
"name": "openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"product_id": "openstack-barbican-api-7.0.1~dev24-3.17.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"product": {
"name": "openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"product_id": "openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"product": {
"name": "openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"product_id": "openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-barbican-test-7.0.1~dev24-3.17.1.noarch",
"product": {
"name": "openstack-barbican-test-7.0.1~dev24-3.17.1.noarch",
"product_id": "openstack-barbican-test-7.0.1~dev24-3.17.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"product": {
"name": "openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"product_id": "openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"product": {
"name": "openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"product_id": "openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-heat-gbp-test-14.0.1~dev5-3.12.1.noarch",
"product": {
"name": "openstack-heat-gbp-test-14.0.1~dev5-3.12.1.noarch",
"product_id": "openstack-heat-gbp-test-14.0.1~dev5-3.12.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"product": {
"name": "openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"product_id": "openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-horizon-plugin-gbp-ui-test-14.0.1~dev6-3.15.1.noarch",
"product": {
"name": "openstack-horizon-plugin-gbp-ui-test-14.0.1~dev6-3.15.1.noarch",
"product_id": "openstack-horizon-plugin-gbp-ui-test-14.0.1~dev6-3.15.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"product": {
"name": "openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"product_id": "openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-gbp-test-14.0.1~dev52-3.37.1.noarch",
"product": {
"name": "openstack-neutron-gbp-test-14.0.1~dev52-3.37.1.noarch",
"product_id": "openstack-neutron-gbp-test-14.0.1~dev52-3.37.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-server-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "openstack-neutron-test-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "openstack-neutron-test-13.0.8~dev209-3.43.1.noarch",
"product_id": "openstack-neutron-test-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "python-barbican-7.0.1~dev24-3.17.1.noarch",
"product": {
"name": "python-barbican-7.0.1~dev24-3.17.1.noarch",
"product_id": "python-barbican-7.0.1~dev24-3.17.1.noarch"
}
},
{
"category": "product_version",
"name": "python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"product": {
"name": "python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"product_id": "python-heat-gbp-14.0.1~dev5-3.12.1.noarch"
}
},
{
"category": "product_version",
"name": "python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"product": {
"name": "python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"product_id": "python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch"
}
},
{
"category": "product_version",
"name": "python-neutron-13.0.8~dev209-3.43.1.noarch",
"product": {
"name": "python-neutron-13.0.8~dev209-3.43.1.noarch",
"product_id": "python-neutron-13.0.8~dev209-3.43.1.noarch"
}
},
{
"category": "product_version",
"name": "python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"product": {
"name": "python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"product_id": "python-neutron-gbp-14.0.1~dev52-3.37.1.noarch"
}
},
{
"category": "product_version",
"name": "spark-2.2.3-5.12.1.noarch",
"product": {
"name": "spark-2.2.3-5.12.1.noarch",
"product_id": "spark-2.2.3-5.12.1.noarch"
}
},
{
"category": "product_version",
"name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"product": {
"name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"product_id": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch"
}
},
{
"category": "product_version",
"name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"product": {
"name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"product_id": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch"
}
},
{
"category": "product_version",
"name": "venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"product": {
"name": "venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"product_id": "venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch"
}
},
{
"category": "product_version",
"name": "venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"product": {
"name": "venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"product_id": "venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 9",
"product": {
"name": "SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:9"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 9",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:9"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-api-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch"
},
"product_reference": "openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch"
},
"product_reference": "openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch"
},
"product_reference": "openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-server-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-barbican-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "python-barbican-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-heat-gbp-14.0.1~dev5-3.12.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch"
},
"product_reference": "python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch"
},
"product_reference": "python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-neutron-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "python-neutron-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-neutron-gbp-14.0.1~dev52-3.37.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch"
},
"product_reference": "python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "spark-2.2.3-5.12.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch"
},
"product_reference": "spark-2.2.3-5.12.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch"
},
"product_reference": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch"
},
"product_reference": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch"
},
"product_reference": "venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch as component of SUSE OpenStack Cloud 9",
"product_id": "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch"
},
"product_reference": "venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-api-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch"
},
"product_reference": "openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch"
},
"product_reference": "openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch"
},
"product_reference": "openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-neutron-server-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-barbican-7.0.1~dev24-3.17.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch"
},
"product_reference": "python-barbican-7.0.1~dev24-3.17.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-heat-gbp-14.0.1~dev5-3.12.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch"
},
"product_reference": "python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch"
},
"product_reference": "python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-neutron-13.0.8~dev209-3.43.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch"
},
"product_reference": "python-neutron-13.0.8~dev209-3.43.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-neutron-gbp-14.0.1~dev52-3.37.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch"
},
"product_reference": "python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "spark-2.2.3-5.12.1.noarch as component of SUSE OpenStack Cloud Crowbar 9",
"product_id": "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch"
},
"product_reference": "spark-2.2.3-5.12.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-3100",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-3100"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-3100",
"url": "https://www.suse.com/security/cve/CVE-2022-3100"
},
{
"category": "external",
"summary": "SUSE Bug 1203873 for CVE-2022-3100",
"url": "https://bugzilla.suse.com/1203873"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-01-11T14:40:56Z",
"details": "important"
}
],
"title": "CVE-2022-3100"
},
{
"cve": "CVE-2022-33891",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-33891"
}
],
"notes": [
{
"category": "general",
"text": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-33891",
"url": "https://www.suse.com/security/cve/CVE-2022-33891"
},
{
"category": "external",
"summary": "SUSE Bug 1204326 for CVE-2022-33891",
"url": "https://bugzilla.suse.com/1204326"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud 9:spark-2.2.3-5.12.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1.noarch",
"SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-api-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-retry-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-barbican-worker-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-ha-tool-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-l3-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-metering-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:openstack-neutron-server-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-barbican-7.0.1~dev24-3.17.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-heat-gbp-14.0.1~dev5-3.12.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-13.0.8~dev209-3.43.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:python-neutron-gbp-14.0.1~dev52-3.37.1.noarch",
"SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-01-11T14:40:56Z",
"details": "important"
}
],
"title": "CVE-2022-33891"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…