diff --git a/documentation/modules/exploit/linux/http/apache_spark_rce_cve_2022_33891.md b/documentation/modules/exploit/linux/http/apache_spark_rce_cve_2022_33891.md
index 7a36e202b6..4f92b8e558 100644
--- a/documentation/modules/exploit/linux/http/apache_spark_rce_cve_2022_33891.md
+++ b/documentation/modules/exploit/linux/http/apache_spark_rce_cve_2022_33891.md
@@ -1,16 +1,28 @@
 ## Vulnerable Application
 
 This module exploits a remote code execution vulnerability (CVE-2022-33891) of Apache Spark.
-The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`. 
-With an authentication filter, this checks whether a user has access permissions to view or modify the application. 
-If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. 
-A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. 
+The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`.
+With an authentication filter, this checks whether a user has access permissions to view or modify the application.
+The permission check is coded using a bash command shell and the unix id command that allows a malicious shell command injection.
 
-This will result in arbitrary shell command execution as the user `Spark` is currently running as.
+Ironically the `spark.acls.enable` configuration setting is designed to improve the security access within the Spark application,
+but unfortunately this configuration setting triggers the vulnerable code below.
+
+```
+private def getUnixGroups(username: String): Set[String] = {
+    val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
+    // we need to get rid of the trailing "\n" from the result of command execution
+    Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
+    Utils.executeAndGetOutput(idPath ::  "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet
+  }
+}
+```
+
+This will result in arbitrary shell command execution as the user `Spark`.
 
 This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1
 
-Installing a vulnerable version of Apache Spark is quite easy.
+Installing a vulnerable version of Apache Spark to test this vulnerability is quite easy.
 
 To set the server up use the following docker-compose.yml file and follow the steps below:
 ```
@@ -165,7 +177,7 @@ msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) >
 ```
 
 ## Limitations
-The check option to determine if the application is vulnerable is based on a 403 response and the successful execution of a `sleep 10` command.
+The check to determine if the application is vulnerable is based on a 403 response and the successful execution of a `sleep 10` command.
 The exploit is a blind command injection, so there is nothing reflected back on the page during the command execution.
 The sleep command execution in this case is therefore a pretty safe bet to check if the command is succesfully executed.
 This test works fine a LAN based setup where the timing for execution will be around 10 seconds.