CVE-2023-38889
Description
An issue in Alluxio v.2.9.3 and before allows an attacker to execute arbitrary code via a crafted script to the username parameter of lluxio.util.CommonUtils.getUnixGroups(java.lang.String).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-38889 is a code injection vulnerability in Alluxio v2.9.3 and earlier, where a crafted username parameter allows arbitrary command execution via shell metacharacters.
Vulnerability
Overview CVE-2023-38889 is a code injection vulnerability in the getUnixGroups method of alluxio.util.CommonUtils in Alluxio versions 2.9.3 and earlier. The flaw arises because the method passes a user-supplied username parameter directly into a shell command without sanitization. Specifically, the method constructs a command that includes the username in a string that is later executed via bash -c. An attacker can inject shell metacharacters (e.g., a pipe |) as part of the username, causing arbitrary commands to be executed alongside the intended id -gn and id -Gn commands [1][3].
Attack
Vector and Exploitation To exploit this vulnerability, an attacker must be able to supply a malicious username string to the CommonUtils.getUnixGroups() method. In typical Alluxio deployments, this method is used to look up Unix group information for a given user, and the username parameter may be taken from external input (e.g., during user authentication or file operations). No prior authentication is required if the method is callable by an unauthenticated endpoint. The attacker simply includes shell metacharacters such as |, ;, or backticks in the username. For example, passing | echo 123 as the username results in the execution of bash -c id -gn | echo 123; id -Gn, causing echo 123 to run as a separate command [3].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Alluxio process. This can lead to full remote code execution, enabling the attacker to read, modify, or delete data managed by Alluxio, disrupt service availability, or pivot to other systems in the network. The impact is critical due to the potential for complete compromise of the Alluxio deployment [2][3].
Mitigation
Status As of the publication date, the vendor has been notified and a fix has been submitted via pull request [3]. Users are advised to update to the patched version as soon as it becomes available. In the interim, administrators should restrict access to the Alluxio API that accepts user-supplied usernames, and apply network-level controls to limit exposure to trusted clients only [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.alluxio:alluxio-parentMaven | <= 2.9.3 | — |
Affected products
3- Alluxio/Alluxiodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xrrh-h86w-pwfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38889ghsaADVISORY
- github.com/Alluxio/alluxio/issues/17766ghsaWEB
News mentions
0No linked articles in our index yet.