CVE-2023-32007

CWE-77Command Injection8 documents6 sources
Severity
8.8HIGH
EPSS
92.2%
top 0.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SparkApache Spark
Timeline
PublishedMay 2
Latest updateSep 26

Description

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shel

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

Mavenorg.apache.spark:spark-parent_2.123.1.13.2.2
CVEListV5apache_software_foundation/apache_spark3.1.13.2.2
NVDapache/spark3.1.13.1.3+2
PyPIpyspark3.2.03.2.2+3

🔴Vulnerability Details

4
CVEList
Apache Spark: Shell command injection via Spark UI2023-05-02
OSV
CVE-2023-32007: ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark2023-05-02
OSV
Apache Spark UI vulnerable to Command Injection2023-05-02
GHSA
Apache Spark UI vulnerable to Command Injection2023-05-02

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Apache Spark OS Command Injection (CVE-2023-32007)2024-09-26

📋Vendor Advisories

2
Apache
Apache spark: CVE-2022-33891
Apache
Apache spark: CVE-2023-32007
CVE-2023-32007 (HIGH CVSS 8.8) | ** UNSUPPORTED WHEN ASSIGNED ** The | cvebase.io