Skip to main content

Improper Privilege Management

CVE-2023-22946

Severity High
Score 9.9/10

Summary

In Apache Spark versions prior to 3.4.0-rc1, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example, those using Apache Livy to manage submitted applications. Update to Apache Spark patched version, and ensure that "spark.submit.proxyUser.allowCustomClasspathInClusterMode" is set to its default of "false", and is not overridden by submitted applications.

  • LOW
  • NETWORK
  • HIGH
  • CHANGED
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-269 - Improper Privilege Management

An effective privilege management infrastructure provides valid users with required access and privileges across heterogeneous technology environments. An application with a faulty privilege management infrastructure allows higher than authorized privileges or enables privilege escalation. This can lead to security incidents such as system infiltration, data breach, and complete system takeover.

Advisory Timeline

  • Published