Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-33891 PoC — Apache Spark shell command injection vulnerability via Spark UI

Source
https://github.com/K3ysTr0K3R/CVE-2022-33891-EXPLOIT
Associated Vulnerability
Title:Apache Spark shell command injection vulnerability via Spark UI (CVE-2022-33891)
Description:The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Description
A PoC exploit for CVE-2022-33891 - Apache Spark UI Remote Code Execution (RCE)
Readme
# CVE-2022-33891 - Apache Spark UI Remote Code Execution (RCE) 🔐

Apache Spark UI is susceptible to a remote command injection vulnerability identified as CVE-2022-33891. This flaw arises due to improper handling of user authentication and access control, specifically when Access Control Lists (ACLs) are enabled. With ACLs activated through the `spark.acls.enable` configuration option, an authentication filter is supposed to validate whether a user has the necessary permissions to view or modify the application. However, a vulnerability exists within the `HttpSecurityFilter` that allows for impersonation by supplying an arbitrary username.

## Vulnerability Details 🛠

When ACLs are enabled, a specific code path within `HttpSecurityFilter` fails to adequately verify user identities. This oversight permits an attacker to bypass the authentication mechanism and reach a permission check function. This function inadvertently constructs and executes a Unix shell command based on user-supplied input, leading to arbitrary code execution on the server hosting the Apache Spark UI.

### Affected Versions 🚨

The vulnerability impacts the following versions of Apache Spark:
- Versions 3.0.3 and earlier
- Versions 3.1.1 to 3.1.2
- Versions 3.2.0 to 3.2.1

## Proof of Concept (PoC) 💻

A Proof of Concept (PoC) has been developed to demonstrate the exploitability of this vulnerability. This PoC is intended strictly for educational and security research purposes, to aid in the understanding and mitigation of this flaw.

### Disclaimer ⚠️

The provided PoC is for educational and ethical hacking purposes only. Usage of the PoC for attacks against web applications or servers without prior mutual consent is illegal. The author assumes no liability and is not responsible for any misuse or damage caused by this material. Users are urged to use this information responsibly and ethically.
File Snapshot

 [4.0K]  /data/pocs/c3fdaf5af899bebee19b35f1b96f0b6db01d547b
├── [7.2K]  CVE-2022-33891.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →