CVE-2023-32007
Published: 02 May 2023
Summary
CVE-2023-32007 is a high-severity Command Injection (CWE-77) vulnerability in Apache Spark. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-32007 is a command injection vulnerability in the Apache Spark UI that occurs when ACLs are enabled via the spark.acls.enable configuration option together with an authentication filter. The flaw resides in a code path inside HttpSecurityFilter that permits impersonation through an arbitrary username, which is then passed to a permission-check function that constructs and executes a Unix shell command. The issue affects only unsupported releases of Apache Spark; the original disclosure as CVE-2022-33891 had incorrectly stated that version 3.1.3 was unaffected.
An attacker who can reach the Spark UI with valid credentials can supply a crafted username to bypass ACL checks and obtain arbitrary command execution with the privileges of the user running Spark. The vulnerability carries a CVSS score of 8.8 and is categorized under CWE-77.
Public advisories state that the vulnerability affects only end-of-life products and direct users to upgrade to a currently supported release such as Apache Spark 3.4.0. The referenced Apache security page and OSS-Security mailing-list posts reiterate that no patches will be issued for unsupported branches.
The associated EPSS score stands at 0.9228 with no material post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0220
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs…
more
are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.