{"id":"PYSEC-2023-44","details":"In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.\n\nUpdate to Apache Spark 3.4.0 or later, and ensure that \nspark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its \ndefault of \"false\", and is not overridden by submitted applications.\n\n\n","aliases":["BIT-spark-2023-22946","CVE-2023-22946","GHSA-329j-jfvr-rhr6"],"modified":"2025-09-19T04:23:20.064434Z","published":"2023-04-17T08:15:00Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv"}],"affected":[{"package":{"name":"pyspark","ecosystem":"PyPI","purl":"pkg:pypi/pyspark"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.4.0"}]}],"versions":["2.1.1","2.1.2","2.1.3","2.2.0","2.2.1","2.2.2","2.2.3","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","2.4.5","2.4.6","2.4.7","2.4.8","3.0.0","3.0.1","3.0.2","3.0.3","3.1.1","3.1.2","3.1.3","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pyspark/PYSEC-2023-44.yaml"}}],"schema_version":"1.7.3"}