VYPR
Critical severityNVD Advisory· Published Apr 17, 2023· Updated Oct 21, 2024

Apache Spark proxy-user privilege escalation from malicious configuration class

CVE-2023-22946

Description

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.

Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.spark:spark-core_2.12Maven
< 3.3.33.3.3
org.apache.spark:spark-core_2.13Maven
< 3.3.33.3.3
pysparkPyPI
< 3.3.23.3.2

Affected products

5

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.