CVE-2023-28710 – Apache Airflow Spark Provider Arbitrary File Read via JDBC
https://notcve.org/view.php?id=CVE-2023-28710
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1. • http://www.openwall.com/lists/oss-security/2023/04/07/3 https://github.com/apache/airflow/pull/30223 https://lists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v5x1p1d2 • CWE-20: Improper Input Validation •
CVE-2022-40954 – Apache Airflow Spark Provider RCE that bypass restrictions to read arbitrary files
https://notcve.org/view.php?id=CVE-2022-40954
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed). Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del sistema operativo ('inyección de comando del sistema operativo') en Apache Airflow Spark Provider. • https://github.com/apache/airflow/pull/27646 https://lists.apache.org/thread/0tmdlnmjs5t4gsx5fy73tb6zd3jztq45 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-31777 – Apache Spark XSS vulnerability in log viewer UI Javascript
https://notcve.org/view.php?id=CVE-2022-31777
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en Apache Spark 3.2.1 y anteriores, y 3.3.0, permite a atacantes remotos ejecutar JavaScript arbitrario en el navegador web de un usuario, al incluir un payload malicioso en los registros que serían devuelto en registros representados en la interfaz de usuario. A stored cross-site scripting (XSS) flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI. • http://www.openwall.com/lists/oss-security/2022/11/01/14 https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q https://access.redhat.com/security/cve/CVE-2022-31777 https://bugzilla.redhat.com/show_bug.cgi?id=2145264 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2022-33891 – Apache Spark Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-33891
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. • https://github.com/west-wind/CVE-2022-33891 https://github.com/AmoloHT/CVE-2022-33891 https://github.com/Vulnmachines/Apache-spark-CVE-2022-33891 https://github.com/IMHarman/CVE-2022-33891 https://github.com/DrLinuxOfficial/CVE-2022-33891 https://github.com/K3ysTr0K3R/CVE-2022-33891-EXPLOIT http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html http://www.openwall.com/lists/oss-security/2023/05/02/1 https://lists.apache.org/thread/p847l3kopoo5bjtmxrc • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-38296 – Apache Spark Key Negotiation Vulnerability
https://notcve.org/view.php?id=CVE-2021-38296
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later Apache Spark soporta el cifrado de extremo a extremo de las conexiones RPC por medio de "spark.authenticate" y "spark.network.crypto.enabled". • https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd https://www.oracle.com/security-alerts/cpujul2022.html • CWE-294: Authentication Bypass by Capture-replay •