Cyber Resilience

CVE-2022-33891

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 18 July 2022

Published
18 July 2022
Modified
23 October 2025
KEV Added
07 March 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9351 99.8th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-33891 is a high-severity OS Command Injection (CWE-78) vulnerability in Apache Spark. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an OS command injection flaw (CWE-78) in Apache Spark's web UI authentication and authorization logic. When spark.acls.enable is set to true alongside an authentication filter, the HttpSecurityFilter code path accepts an arbitrary username supplied by the client. This value reaches a permission-checking routine that constructs and executes a Unix shell command without proper sanitization, allowing the supplied input to be interpreted as part of the command line. The issue affects Spark versions 3.0.3 and earlier, 3.1.1–3.1.2, and 3.2.0–3.2.1.

An attacker who can reach the Spark UI (typically over the network) can supply a crafted username that bypasses the intended ACL checks. Successful exploitation grants the ability to run arbitrary operating-system commands with the privileges of the user account under which the Spark process is executing, resulting in full confidentiality, integrity, and availability impact on the host.

Public references, including an Apache security announcement thread and oss-security postings, document the flaw and point to updated Spark releases that correct the input handling in HttpSecurityFilter. Separate exploit artifacts published on Packet Storm demonstrate unauthenticated command injection against the same code path.

The CVE carries a CVSS score of 8.8 and maintains a very high EPSS score (current 0.9351, peak 0.9745), indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path…

more

in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

CWE(s)
KEV Date Added
07 March 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
spark
≤ 3.0.3 · 3.1.1 — 3.1.2 · 3.2.0 — 3.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates all input (including the impersonation username supplied to HttpSecurityFilter) before it is used to construct Unix shell commands, directly blocking the CWE-78 injection path.

prevent

Ensures the Spark process runs with only the privileges required for its function, limiting the impact of any successful command execution to the minimal necessary scope.

prevent

Requires prompt application of vendor patches that close the HttpSecurityFilter impersonation-to-shell-command flaw in the listed vulnerable Spark versions.

References