Apache · Apache Spark · CVE-2023-32007
**Name of the Vulnerable Software and Affected Versions**
Apache Spark versions prior to 3.4.0
**Description**
The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in `HttpSecurityFilter` can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as.
**Recommendations**
Upgrade to a supported version of Apache Spark, such as version 3.4.0.