VYPR
← All advisories
High severityNVD Advisory· Published May 2, 2023· Updated Feb 13, 2025

Apache Spark: Shell command injection via Spark UI

CVE-2023-32007

Description

UNSUPPORTED WHEN ASSIGNED The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-32007: A shell command injection in Apache Spark UI's ACL filter allows unauthenticated impersonation and arbitrary command execution on unsupported versions.

Vulnerability

Overview CVE-2023-32007 is a shell command injection vulnerability in the Apache Spark UI's HTTP security filter (HttpSecurityFilter). When ACLs are enabled via spark.acls.enable, the filter performs user impersonation based on arbitrary user names provided in requests. This impersonation triggers a permission check that constructs and executes a Unix shell command, allowing an attacker to inject arbitrary commands [1][2]. The issue was previously disclosed as CVE-2022-33891 but was incorrectly claimed to not affect version 3.1.3 [4].

Attack

Vector An attacker can exploit this vulnerability by sending crafted HTTP requests to a Spark UI endpoint on an affected cluster (versions 3.1.1 before 3.2.2) where ACLs are enabled. The attacker does not need authentication; they simply supply an arbitrary username to bypass ACL checks, reaching the vulnerable permission function. The function builds a shell command from user input, enabling arbitrary OS command execution as the Spark user [2][4].

Impact

Successful exploitation results in arbitrary shell command execution with the privileges of the Spark process. This can lead to full compromise of the Spark application, including access to data, cluster resources, and potential lateral movement within the network. The vulnerability is rated important and is marked "UNSUPPORTED WHEN ASSIGNED" for affected versions that are no longer supported [2][4].

Mitigation

Users are strongly advised to upgrade to a supported version of Apache Spark (e.g., 3.4.0 or later). For clusters still running affected unsupported versions, disabling ACLs (spark.acls.enable=false) or applying strict network access controls can reduce risk, but upgrading is the only complete fix [1][2].

References
  1. Security | Apache Spark
  2. NVD - CVE-2023-32007
  3. security - CVE-2023-32007: Apache Spark: Shell command injection via Spark UI

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.spark:spark-parent_2.12Maven
>= 3.1.1, < 3.2.23.2.2
pysparkPyPI
>= 3.1.1, < 3.2.23.2.2

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.