Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-38631

Arbitrary shell command injection via Utils.unpack()

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 3.1.2, 3.2.1, 3.3.0
    • 3.1.3, 3.3.0, 3.2.2
    • Spark Core
    • None

    Description

      There is a risk for arbitrary shell command injection via Utils.unpack when the filename is controlled by a malicious user. This is due to an issue in Hadoop's unTar, that is not properly escaping the filename before passing to a shell command:https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java#L904

      Attachments

        Activity

          People

            hyukjin.kwon Hyukjin Kwon
            hyukjin.kwon Hyukjin Kwon
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: