CVE-2022-32007
published 2022-06-02CVE-2022-32007: Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/company/index.php?view=edit&id=.
PriorityP347high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
4.52%
90.3th percentile
Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/company/index.php?view=edit&id=.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | spark | — | — |
| complete_online_job_search_system_project | complete_online_job_search_system | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa8.8HIGH
vendor_apache8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Spark UI vulnerable to Command Injection
ghsa·2023-05-02·CVSS 8.8
CVE-2023-32007 [HIGH] CWE-77 Apache Spark UI vulnerable to Command Injection
Apache Spark UI vulnerable to Command Injection
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected
GHSA
GHSA-g435-7p43-3p3q: Complete Online Job Search System v1
ghsa_unreviewed·2022-06-03
CVE-2022-32007 [HIGH] CWE-89 GHSA-g435-7p43-3p3q: Complete Online Job Search System v1
Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/company/index.php?view=edit&id=.
Apache
Apache spark: CVE-2023-32007
vendor_apache·CVSS 8.8
CVE-2023-32007 [HIGH] Apache spark: CVE-2023-32007
Apache spark: CVE-2023-32007
This CVE is only an update to CVE-2022-33891 to clarify that version 3.1.3 is also affected. It is otherwise not a new vulnerability. Note that Apache Spark 3.1.x is EOL now.
Affected versions: 3.1.3
Apache
Apache spark: CVE-2022-33891
vendor_apache·CVSS 8.8
CVE-2022-33891 [HIGH] Apache spark: CVE-2022-33891
Apache spark: CVE-2022-33891
Severity: Important Vendor: The Apache Software Foundation Versions Affected: 3.1.3 and earlier (previously, this was marked as fixed in 3.1.3; this change is tracked as CVE-2023-32007 ) 3.2.0 to 3.2.1 Description: The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell comm
No detection rules found.
Nuclei
Complete Online Job Search System 1.0 - SQL Injection
nuclei·CVSS 7.2
CVE-2022-32007 [HIGH] Complete Online Job Search System 1.0 - SQL Injection
Complete Online Job Search System 1.0 - SQL Injection
Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/admin/company/index.php?view=edit&id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2022-32007
info:
name: Complete Online Job Search System 1.0 - SQL Injection
author: arafatansari
severity: high
description: |
Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/admin/company/index.php?view=edit&id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
No writeups or analysis indexed.
2022-06-02
Published