8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.6%
Apache Spark is vulnerable to OS command injection. The vulnerability exists it is possible to impersonate using an arbitrary user name if ACL is enabled, allowing an attacker to provide malicious input to build and execute a Unix shell command arbitrarily.
CPE | Name | Operator | Version |
---|---|---|---|
spark project core | le | 3.0.0-preview2 | |
spark project core | le | 3.0.0-preview2 |
packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
www.openwall.com/lists/oss-security/2023/05/02/1
github.com/apache/spark/commit/1d524a88f6e93e9971a09f70eb2804dca51d578c
github.com/apache/spark/commit/9cc2ae7804156899850031bd694b1925473fb4cd
github.com/apache/spark/pull/36315
issues.apache.org/jira/browse/SPARK-38992
lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.6%