VIR Vulnerability Intelligence Relay

CVE-2022-33891

unknown KEV
Published 2022-07-19 · Modified 2023-12-06
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H
CVSS v2
VIR risk
1.5

Description

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

CISA KEV

Vendor
Apache
Product
Spark
Due date
2023-03-28

Predictions

Exploit likelihood
99%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc; https://nvd.nist.gov/vuln/detail/CVE-2022-33891

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-33891.html

Exploits

OS impact
OSVersionStatusFixed in
suse slesaffected

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.apache.spark:spark-parent_2.12>=3.1.1,<3.2.23.2.2
python PyPIpyspark<=3.0.3
python PyPIpyspark>=3.1.1,<3.2.23.2.2
java Mavenorg.apache.spark:spark-parent_2.12<=3.0.3
python PyPIpyspark>=3.1.1,<3.1.33.1.1

References

Verify integrity in audit chain (admin only). AS-IS.