CVE-2022-33891

Name: CVE-2022-33891
Creator: NVD / NIST
Published: 2022-07-18T07:15:07.6+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10Actively ExploitedEPSS 92.98%

Last modified Jun 17, 2026

CVE-2022-33891 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. CISA has confirmed active exploitation in the wild. EPSS estimates a 92.98% chance of exploitation in the next 30 days.

Description

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

92.98%

99.8th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Mar 28, 2023.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Spark	<= 3.0.3
Apache	Spark	>= 3.1.1, <= 3.1.2
Apache	Spark	>= 3.2.0, <= 3.2.1

References

http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.htmlExploit, Third Party Advisory, VDB Entry
http://www.openwall.com/lists/oss-security/2023/05/02/1Mailing List, Third Party Advisory
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlcMailing List, Third Party Advisory
http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.htmlExploit, Third Party Advisory, VDB Entry
http://www.openwall.com/lists/oss-security/2023/05/02/1Mailing List, Third Party Advisory
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlcMailing List, Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891Third Party Advisory, US Government Resource

Timeline

Published: Jul 18, 2022
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2022-33891?

How severe is CVE-2022-33891?

CVE-2022-33891 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 92.98% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2022-33891?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-33891?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST