Skip to content
This repository has been archived by the owner on Oct 2, 2023. It is now read-only.

CVE-2023-22946 (Critical) detected in spark-core_2.11-2.3.3.jar #139

Open
mend-bolt-for-github bot opened this issue Apr 17, 2023 · 0 comments
Open

CVE-2023-22946 (Critical) detected in spark-core_2.11-2.3.3.jar #139

mend-bolt-for-github bot opened this issue Apr 17, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link

mend-bolt-for-github bot commented Apr 17, 2023
edited
Loading

CVE-2023-22946 - Critical Severity Vulnerability

Vulnerable Library - spark-core_2.11-2.3.3.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://spark.apache.org/

Dependency Hierarchy:

  • spark-core_2.11-2.3.3.jar (Vulnerable Library)

Found in HEAD commit: 7b16df0bfd847c502ac80c1464fe08140edf5d0d

Found in base branch: master

Vulnerability Details

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.

Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications.

Publish Date: 2023-04-17

URL: CVE-2023-22946

CVSS 3 Score Details (9.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2023/q2/28

Release Date: 2023-04-17

Fix Resolution: org.apache.spark:spark-core:3.4.0

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Apr 17, 2023
@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2023-22946 (Medium) detected in spark-core_2.11-2.3.3.jar CVE-2023-22946 (Critical) detected in spark-core_2.11-2.3.3.jar Aug 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants