github - ghsa-4x9r-j582-cgr8

GHSA-4X9R-J582-CGR8

Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2025-10-22 19:19

Summary

Apache Spark UI can allow impersonation if ACLs enabled

Details

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

A previous version of this advisory incorrectly stated that version 3.1.3 was not vulnerable. Per GHSA-59hw-j9g6-mfg3, version 3.1.3 is vulnerable and vulnerable version ranges in this advisory have been changed to reflect the correct information.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-parent_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-parent_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.1"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyspark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyspark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.1"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-33891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T21:40:46Z",
    "nvd_published_at": "2022-07-18T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.\n\nA previous version of this advisory incorrectly stated that version 3.1.3 was not vulnerable. Per [GHSA-59hw-j9g6-mfg3](https://github.com/advisories/GHSA-59hw-j9g6-mfg3), version 3.1.3 is vulnerable and vulnerable version ranges in this advisory have been changed to reflect the correct information.",
  "id": "GHSA-4x9r-j582-cgr8",
  "modified": "2025-10-22T19:19:14Z",
  "published": "2022-07-19T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33891"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/spark"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2023/05/02/1"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Spark UI can allow impersonation if ACLs enabled"
}

PYSEC-2022-236

Vulnerability from pysec - Published: 2022-07-18 07:15 - Updated: 2022-07-25 14:38

Details

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Impacted products

Name	purl
pyspark	pkg:pypi/pyspark

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyspark",
        "purl": "pkg:pypi/pyspark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.1"
            },
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.2"
            },
            {
              "introduced": "3.1.1"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.2.0",
        "2.2.1",
        "2.2.2",
        "2.2.3",
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.3.4",
        "2.4.0",
        "2.4.1",
        "2.4.2",
        "2.4.3",
        "2.4.4",
        "2.4.5",
        "2.4.6",
        "2.4.7",
        "2.4.8",
        "3.0.0",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.1.1",
        "3.1.2",
        "3.2.0",
        "3.2.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-33891",
    "GHSA-4x9r-j582-cgr8"
  ],
  "details": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.",
  "id": "PYSEC-2022-236",
  "modified": "2022-07-25T14:38:46.692270Z",
  "published": "2022-07-18T07:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4x9r-j582-cgr8"
    }
  ]
}

CVE-2022-33891 (GCVE-0-2022-33891)

Vulnerability from cvelistv5 – Published: 2022-07-18 00:00 – Updated: 2025-10-21 23:15

Summary

Severity ?

No CVSS data available.

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/p847l3kopoo5bjtmx…
	http://packetstormsecurity.com/files/168309/Apach…
	http://www.openwall.com/lists/oss-security/2023/05/02/1	mailing-list

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Spark	Affected: 3.0.3 and earlier , ≤ 3.0.3 (custom) Affected: 3.1.1 to 3.1.2 , ≤ 3.1.2 (custom) Affected: 3.2.0 to 3.2.1 , ≤ 3.2.1 (custom)

Credits

Kostya Kortchinsky (Databricks)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T08:09:22.687Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
          },
          {
            "name": "[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-33891",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T14:13:50.936095Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-03-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:38.160Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2023-03-07T00:00:00+00:00",
            "value": "CVE-2022-33891 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Spark",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.0.3",
              "status": "affected",
              "version": "3.0.3 and earlier",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "3.1.2",
              "status": "affected",
              "version": "3.1.1 to 3.1.2",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "3.2.1",
              "status": "affected",
              "version": "3.2.0 to 3.2.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": " Kostya Kortchinsky (Databricks)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "important"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-25T08:13:36.397Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
        },
        {
          "url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
        },
        {
          "name": "[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
        }
      ],
      "source": {
        "defect": [
          "SPARK-38992"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Apache Spark shell command injection vulnerability via Spark UI",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to supported Apache Spark maintenance release 3.1.3, 3.2.2, or 3.3.0 or later"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-33891",
    "datePublished": "2022-07-18T00:00:00.000Z",
    "dateReserved": "2022-06-17T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:38.160Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-4X9R-J582-CGR8

PYSEC-2022-236

CVE-2022-33891 (GCVE-0-2022-33891)

Tags

Sightings

Nomenclature