CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 0CVE-2023-32007 – Apache Spark: Shell command injection via Spark UI
https://notcve.org/view.php?id=CVE-2023-32007
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. • http://www.openwall.com/lists/oss-security/2023/05/02/1 https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv https://spark.apache.org/security.html https://www.cve.org/CVERecord?id=CVE-2022-33891 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22946 – Apache Spark proxy-user privilege escalation from malicious configuration class
https://notcve.org/view.php?id=CVE-2023-22946
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications. • https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31777 – Apache Spark XSS vulnerability in log viewer UI Javascript
https://notcve.org/view.php?id=CVE-2022-31777
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en Apache Spark 3.2.1 y anteriores, y 3.3.0, permite a atacantes remotos ejecutar JavaScript arbitrario en el navegador web de un usuario, al incluir un payload malicioso en los registros que serían devuelto en registros representados en la interfaz de usuario. A stored cross-site scripting (XSS) flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI. • http://www.openwall.com/lists/oss-security/2022/11/01/14 https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q https://access.redhat.com/security/cve/CVE-2022-31777 https://bugzilla.redhat.com/show_bug.cgi?id=2145264 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 97%CPEs: 3EXPL: 8CVE-2022-33891 – Apache Spark Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-33891
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. • https://github.com/west-wind/CVE-2022-33891 https://github.com/AmoloHT/CVE-2022-33891 https://github.com/Vulnmachines/Apache-spark-CVE-2022-33891 https://github.com/IMHarman/CVE-2022-33891 https://github.com/DrLinuxOfficial/CVE-2022-33891 https://github.com/K3ysTr0K3R/CVE-2022-33891-EXPLOIT http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html http://www.openwall.com/lists/oss-security/2023/05/02/1 https://lists.apache.org/thread/p847l3kopoo5bjtmxrc • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-38296 – Apache Spark Key Negotiation Vulnerability
https://notcve.org/view.php?id=CVE-2021-38296
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later Apache Spark soporta el cifrado de extremo a extremo de las conexiones RPC por medio de "spark.authenticate" y "spark.network.crypto.enabled". • https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd https://www.oracle.com/security-alerts/cpujul2022.html • CWE-294: Authentication Bypass by Capture-replay •