CVE-2023-22946
Last modified
CVE-2023-22946 is a critical-severity vulnerability rated 9.9/10 on the CVSS scale. In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. EPSS estimates a 1.11% chance of exploitation in the next 30 days.
Description
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Spark | < 3.4.0 |
References
- https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gvMailing List, Vendor Advisory
- https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gvMailing List, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-22946?
How severe is CVE-2023-22946?
How do I fix CVE-2023-22946?
Are you affected by CVE-2023-22946?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST