AVID-2026-R1050

Description

Apache Spark shell command injection vulnerability via Spark UI (CVE-2022-33891)

Details

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Reason for inclusion in AVID: The CVE-2022-33891 describes a command injection vulnerability (CWE-78) in Apache Spark UI that enables arbitrary shell command execution. Apache Spark is a widely used software component in AI/ML data processing pipelines and model training/serving stacks. As a vulnerability in a dependency commonly used to build, train, deploy, or run general-purpose AI systems, it constitutes a software supply chain issue for AI stacks. The vulnerability is explicitly of a security nature (RCE) with clear exploitation potential. Evidence is provided by the CVE entry and description of the OS command injection and affected versions.

References

Affected or Relevant Artifacts

Developer: Apache Software Foundation
Deployer: Apache Software Foundation
Artifact Details:

Type	Name
System	Apache Spark

Impact

AVID Taxonomy Categorization

Risk domains: Security
SEP subcategories: S0100: Software Vulnerability
Lifecycle stages: L06: Deployment

CWE

ID	Description
CWE-78	CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Other information

Report Type: Advisory
Credits:
Date Reported: 2022-07-18
Version: 0.3.3
AVID Entry