CVE-2023-22946
First published: Mon Apr 17 2023(Updated: )
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Spark | <3.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-22946.
What is the severity of CVE-2023-22946?
CVE-2023-22946 has a severity rating of 9.9 (critical).
What is the affected software?
The affected software includes Apache Spark versions prior to 3.4.0 and versions 3.3.3, specifically the `org.apache.spark:spark-core_2.13` package.
What is the remedy for CVE-2023-22946?
To fix CVE-2023-22946, update to Apache Spark version 3.4.0 or version 3.3.3.
Where can I find more information about CVE-2023-22946?
You can find more information about CVE-2023-22946 on the NIST National Vulnerability Database (NVD) website.
- collector/nvd-cve
- collector/nvd-index
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- vendor/apache
- canonical/apache spark