CVE-2023-22946

Name of the Vulnerable Software and Affected Versions Apache Spark versions prior to 3.4.0

Description The issue is related to insecure privilege management in the spark-submit function of Apache Spark. This allows an application to execute code with the privileges of the submitting user by providing malicious configuration-related classes on the classpath. Architectures relying on proxy-user, such as those using Apache Livy to manage submitted applications, are affected.

Recommendations Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.