CVE-2023-22946

CWE-269 — Improper Privilege Management7 documents6 sources

Severity

9.9CRITICAL

EPSS

0.4%

top 41.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Spark Apache Spark

Timeline

PublishedApr 17

Latest updateOct 15

Description

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomC…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages5 packages

▶NVDapache/spark< 3.4.0

▶Mavenorg.apache.spark:spark-core_2.12< 3.3.3

▶Mavenorg.apache.spark:spark-core_2.13< 3.3.3

▶CVEListV5apache_software_foundation/apache_spark< 3.4.0

▶PyPIpyspark< 3.3.2+1

🔴Vulnerability Details

OSV

Apache Spark vulnerable to Improper Privilege Management↗2023-04-17

▶

GHSA

Apache Spark vulnerable to Improper Privilege Management↗2023-04-17

▶

CVEList

Apache Spark proxy-user privilege escalation from malicious configuration class↗2023-04-17

▶

OSV

CVE-2023-22946: In Apache Spark versions prior to 3↗2023-04-17

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Installer (Apache Spark) — CVE-2023-22946↗2023-10-15

▶

Apache

Apache spark: CVE-2023-22946↗

▶