cbcvebase.
CVE-2023-22946
published 2023-04-17

CVE-2023-22946: In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute…

PriorityP261critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
1.11%
61.8th percentile
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.

Affected

3 ranges
VendorProductVersion rangeFixed in
apachespark< 3.4.03.4.0
apachespark
apache_software_foundationapache_spark< 3.4.03.4.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect spark-submit invocations that attempt to override spark.submit.proxyUser.allowCustomClasspathInClusterMode to a non-default (non-false) value, which is the key exploitation vector for this CVE.
  • Monitor for proxy-user privilege escalation attempts via spark-submit where malicious configuration-related classes are supplied on the classpath in cluster mode.
  • Environments using Apache Livy to manage submitted Spark applications are specifically at risk; audit Livy-submitted jobs for classpath manipulation attempts.
  • ·The configuration property spark.submit.proxyUser.allowCustomClasspathInClusterMode must remain at its default value of 'false' and must not be overridable by submitted applications; any deviation enables privilege escalation.
  • ·All Apache Spark versions prior to 3.4.0 are affected; upgrading to 3.4.0 or later is required to remediate the vulnerability.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_oracle9.9MEDIUM
vendor_apache6.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.