Search for vulnerabilities
Vulnerability details: VCID-rrv9-qz9b-zyh9
Vulnerability ID VCID-rrv9-qz9b-zyh9
Aliases BIT-spark-2022-33891
CVE-2022-33891
GHSA-4x9r-j582-cgr8
PYSEC-2022-236
Summary Apache Spark UI can allow impersonation if ACLs enabled The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. A previous version of this advisory incorrectly stated that version 3.1.3 was not vulnerable. Per [GHSA-59hw-j9g6-mfg3](https://github.com/advisories/GHSA-59hw-j9g6-mfg3), version 3.1.3 is vulnerable and vulnerable version ranges in this advisory have been changed to reflect the correct information.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 8.8 http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
ssvc Attend http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
cvssv3 8.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33891.json
epss 0.94275 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.94275 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
epss 0.94275 https://api.first.org/data/v1/epss?cve=CVE-2022-33891
cvssv3.1 8.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-4x9r-j582-cgr8
cvssv3.1 8.8 https://github.com/apache/spark
generic_textual HIGH https://github.com/apache/spark
cvssv3.1 8.8 https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
cvssv3.1 8.8 https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
generic_textual HIGH https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
ssvc Attend https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2022-33891
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-33891
cvssv3.1 8.8 https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
generic_textual HIGH https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
cvssv3.1 8.8 https://www.openwall.com/lists/oss-security/2023/05/02/1
generic_textual HIGH https://www.openwall.com/lists/oss-security/2023/05/02/1
cvssv3.1 8.8 http://www.openwall.com/lists/oss-security/2023/05/02/1
ssvc Attend http://www.openwall.com/lists/oss-security/2023/05/02/1
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33891.json
https://api.first.org/data/v1/epss?cve=CVE-2022-33891
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/advisories/GHSA-4x9r-j582-cgr8
https://github.com/apache/spark
https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
https://nvd.nist.gov/vuln/detail/CVE-2022-33891
https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
https://www.openwall.com/lists/oss-security/2023/05/02/1
http://www.openwall.com/lists/oss-security/2023/05/02/1
2174263 https://bugzilla.redhat.com/show_bug.cgi?id=2174263
Apache-Spark-Unauthenticated-Command-Injection.html http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
Data source Metasploit
Description This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command. It is triggered by a non-default setting called spark.acls.enable. This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack. Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date July 18, 2022
Platform Linux,Unix
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/apache_spark_rce_cve_2022_33891.rb
Data source KEV
Date added March 7, 2023
Description Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.
Required action Apply updates per vendor instructions.
Due date March 28, 2023
Note 
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc;  https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Ransomware campaign use Unknown
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-04T14:13:50Z/ Found at http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33891.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/spark
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-04T14:13:50Z/ Found at https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-33891
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.openwall.com/lists/oss-security/2023/05/02/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2023/05/02/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-04T14:13:50Z/ Found at http://www.openwall.com/lists/oss-security/2023/05/02/1
Exploit Prediction Scoring System (EPSS)
Percentile 0.99927
EPSS Score 0.94275
Published At July 12, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:25:28.338842+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-4x9r-j582-cgr8/GHSA-4x9r-j582-cgr8.json 36.1.3