In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications.
Metrics
Affected Vendors & Products
References
History
Mon, 21 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2024-10-21T15:06:58.145Z
Reserved: 2023-01-11T01:18:53.321Z
Link: CVE-2023-22946

Updated: 2024-08-02T10:20:31.439Z

Status : Modified
Published: 2023-04-17T08:15:07.790
Modified: 2024-11-21T07:45:41.800
Link: CVE-2023-22946

No data.