CVE-2022-33891 (High) detected in pyspark-2.4.0.tar.gz, pyspark-2.4.5.tar.gz

## CVE-2022-33891 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - pyspark-2.4.0.tar.gz, pyspark-2.4.5.tar.gz</summary>


<details><summary>pyspark-2.4.0.tar.gz</summary>

Apache Spark Python API
Library home page: <a href="https://files.pythonhosted.org/packages/88/01/a37e827c2d80c6a754e40e99b9826d978b55254cc6c6672b5b08f2e18a7f/pyspark-2.4.0.tar.gz">https://files.pythonhosted.org/packages/88/01/a37e827c2d80c6a754e40e99b9826d978b55254cc6c6672b5b08f2e18a7f/pyspark-2.4.0.tar.gz</a>
Path to dependency file: /sample_app
Path to vulnerable library: /sample_app


Dependency Hierarchy:
 - :x: **pyspark-2.4.0.tar.gz** (Vulnerable Library)
</details>
<details><summary>pyspark-2.4.5.tar.gz</summary>

Apache Spark Python API
Library home page: <a href="https://files.pythonhosted.org/packages/9a/5a/271c416c1c2185b6cb0151b29a91fff6fcaed80173c8584ff6d20e46b465/pyspark-2.4.5.tar.gz">https://files.pythonhosted.org/packages/9a/5a/271c416c1c2185b6cb0151b29a91fff6fcaed80173c8584ff6d20e46b465/pyspark-2.4.5.tar.gz</a>
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt


Dependency Hierarchy:
 - :x: **pyspark-2.4.5.tar.gz** (Vulnerable Library)
</details>

Found in base branch: master

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> Vulnerability Details</summary>
 
 
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Publish Date: 2022-07-18
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2022-33891>CVE-2022-33891</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (8.8)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: Low
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: High
 - Integrity Impact: High
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-33891">https://nvd.nist.gov/vuln/detail/CVE-2022-33891</a>
Release Date: 2022-07-18
Fix Resolution: org.apache.spark:spark-core_2.10:no_fix


</details>


***
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-33891 (High) detected in pyspark-2.4.0.tar.gz, pyspark-2.4.5.tar.gz #6

CVE-2022-33891 - High Severity Vulnerability

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2022-33891 (High) detected in pyspark-2.4.0.tar.gz, pyspark-2.4.5.tar.gz #6

Description

CVE-2022-33891 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions