Cyber Resilience

CVE-2023-32007

HighRCE

Published: 02 May 2023

Published
02 May 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9228 99.7th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32007 is a high-severity Command Injection (CWE-77) vulnerability in Apache Spark. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-32007 is a command injection vulnerability in the Apache Spark UI that occurs when ACLs are enabled via the spark.acls.enable configuration option together with an authentication filter. The flaw resides in a code path inside HttpSecurityFilter that permits impersonation through an arbitrary username, which is then passed to a permission-check function that constructs and executes a Unix shell command. The issue affects only unsupported releases of Apache Spark; the original disclosure as CVE-2022-33891 had incorrectly stated that version 3.1.3 was unaffected.

An attacker who can reach the Spark UI with valid credentials can supply a crafted username to bypass ACL checks and obtain arbitrary command execution with the privileges of the user running Spark. The vulnerability carries a CVSS score of 8.8 and is categorized under CWE-77.

Public advisories state that the vulnerability affects only end-of-life products and direct users to upgrade to a currently supported release such as Apache Spark 3.4.0. The referenced Apache security page and OSS-Security mailing-list posts reiterate that no patches will be issued for unsupported branches.

The associated EPSS score stands at 0.9228 with no material post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs…

more

are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
spark
≤ 3.0.3 · 3.1.1 — 3.1.3 · 3.2.0 — 3.2.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References