Improper Privilege Management
CVE-2023-22946
Summary
In Apache Spark versions prior to 3.4.0-rc1, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example, those using Apache Livy to manage submitted applications. Update to Apache Spark patched version, and ensure that "spark.submit.proxyUser.allowCustomClasspathInClusterMode" is set to its default of "false", and is not overridden by submitted applications.
- LOW
- NETWORK
- HIGH
- CHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-269 - Improper Privilege Management
An effective privilege management infrastructure provides valid users with required access and privileges across heterogeneous technology environments. An application with a faulty privilege management infrastructure allows higher than authorized privileges or enables privilege escalation. This can lead to security incidents such as system infiltration, data breach, and complete system takeover.
References
Advisory Timeline
- Published