2 matches found
CVE-2022-33891
Summary: CVE-2022-33891 is a command-injection vulnerability in the Apache Spark UI when ACLs are enabled. A code path in HttpSecurityFilter can impersonate by supplying an arbitrary username, leading to an arbitrary shell command being executed as the Spark process user. Affected versions includ...
CVE-2023-32007
CVE-2023-32007 describes a command injection in the Apache Spark UI when ACLs are enabled via spark.acls.enable. A path in HttpSecurityFilter could allow impersonation by supplying an arbitrary username, enabling a permission check to build and execute a Unix shell command as the Spark process us...