Search for vulnerabilities
Vulnerability details: VCID-4at1-k27t-aaan
Vulnerability ID VCID-4at1-k27t-aaan
Aliases BIT-2022-33891
BIT-spark-2022-33891
CVE-2022-33891
GHSA-4x9r-j582-cgr8
PYSEC-2022-236
Summary The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
System Score Found at
cvssv3.1 8.8 http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
generic_textual HIGH http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
ssvc Attend http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
cvssv3 8.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33891.json
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.9424 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.94275 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.94275 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.94275 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.94275 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.94287 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97051 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97137 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97137 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97154 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97154 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97258 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97258 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97258 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97258 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.97286 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
cvssv3.1 8.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-4x9r-j582-cgr8
cvssv3.1 8.8 https://github.com/apache/spark
generic_textual HIGH https://github.com/apache/spark
cvssv3.1 8.8 https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
cvssv3.1 8.8 https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
generic_textual HIGH https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
ssvc Attend https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
cvssv3 8.8 https://nvd.nist.gov/vuln/detail/CVE-2022-33891
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2022-33891
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-33891
cvssv3.1 8.8 https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
generic_textual HIGH https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
cvssv3.1 8.8 https://www.openwall.com/lists/oss-security/2023/05/02/1
generic_textual HIGH https://www.openwall.com/lists/oss-security/2023/05/02/1
cvssv3.1 8.8 http://www.openwall.com/lists/oss-security/2023/05/02/1
generic_textual HIGH http://www.openwall.com/lists/oss-security/2023/05/02/1
ssvc Attend http://www.openwall.com/lists/oss-security/2023/05/02/1
Reference id Reference type URL
http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33891.json
https://api.first.org/data/v1/epss?cve=CVE-2022-33891
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/spark
https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
https://www.openwall.com/lists/oss-security/2023/05/02/1
http://www.openwall.com/lists/oss-security/2023/05/02/1
2174263 https://bugzilla.redhat.com/show_bug.cgi?id=2174263
cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
CVE-2022-33891 https://nvd.nist.gov/vuln/detail/CVE-2022-33891
GHSA-4x9r-j582-cgr8 https://github.com/advisories/GHSA-4x9r-j582-cgr8
Data source KEV
Date added March 7, 2023
Description Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.
Required action Apply updates per vendor instructions.
Due date March 28, 2023
Note 
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc;  https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Ransomware campaign use Unknown
Data source Metasploit
Description This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command. It is triggered by a non-default setting called spark.acls.enable. This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack. Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date July 18, 2022
Platform Linux,Unix
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/apache_spark_rce_cve_2022_33891.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-04T14:13:50Z/ Found at http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33891.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/spark
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-04T14:13:50Z/ Found at https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.openwall.com/lists/oss-security/2023/05/02/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2023/05/02/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-04T14:13:50Z/ Found at http://www.openwall.com/lists/oss-security/2023/05/02/1
Exploit Prediction Scoring System (EPSS)
Percentile 0.99921
EPSS Score 0.9424
Published At April 2, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.