Synced 16 Jun 2026 15:24 UTC Account
← All products

CVE-2022-33891

HIGH severity · CVSS 8.8 · OS command injection · actively exploited (CISA KEV)
8.8CVSS HIGH exploited
Actively exploited in the wild (CISA Known Exploited Vulnerabilities). Added to KEV 2023-03-07. US federal agencies must patch by 2023-03-28.

Summary

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)93%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Spark

Recommendation

This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.

Additional information