Yi Wu

**Name of the Vulnerable Software and Affected Versions** Apache Spark versions prior to 3.4.0 **Description** The issue is related to insecure privilege management in the spark-submit function of Apache Spark. This allows an application to execute code with the privileges of the submitting user by providing malicious configuration-related classes on the classpath. Architectures relying on proxy-user, such as those using Apache Livy to manage submitted applications, are affected. **Recommendations** Update to Apache Spark 3.4.0 or later, and ensure that `spark.submit.proxyUser.allowCustomClasspathInClusterMode` is set to its default of "false", and is not overridden by submitted applications.