Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-33891 PoC — Apache Spark shell command injection vulnerability via Spark UI

Source
https://github.com/nanaao/CVE-2022-33891
Associated Vulnerability
Title:Apache Spark shell command injection vulnerability via Spark UI (CVE-2022-33891)
Description:The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Description
PoC for CVE-2022-33891
Readme
# CVE-2022-33891 PoC
PoC for CVE-2022-33891, with ability to set custom payloads. 

Not vulnerable by default -- spark.acls.enable need to be TRUE.

## Intended Use
Usage of this script is limited to personnel who are authorised to run the payload on the target hosts for vulnerability patching purposes only. Prior to running this script, ensure you are authorised.

## Use

```
git clone https://github.com/west-wind/CVE-2022-33891.git
python cve-2022-33891.py
```

## Getting Started
This POC expects to receive all targets in a CSV file titled --> **allTargets.csv** with one column titled --> **targets**, containing all the targets that need to be scanned ex., http://12.23.45.67:9099 or http://spark.domain.com. The / will be added by the script.

Enter the payload to be executed on the target in the **POC.conf** file. 
Your host in    --> **yourHostHere** http://my_domain_here.com
Your payload in --> **yourPayloadHere** payload.sh

Made for research purposes.

## Detection SPL
```
index=web sourcetype IN (nginx, waf_logs) url=*/?doAs*
| eval decodedIndicators=urldecode(url)
| table _time src_ip dest status request url decodedIndicators
```

## Patching & References
[NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-33891)

[Apache Advisory](https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc)

[W01fh4cker](https://github.com/W01fh4cker/cve-2022-33891)
File Snapshot

 [4.0K]  /data/pocs/4787a5e242241b3d6992850a6dc5264e4a347c69
├── [  77]  allTargets.csv
├── [1.6K]  cve-2022-33891.py
├── [1.0K]  LICENSE
├── [  80]  POC.conf
└── [1.4K]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →