CVE-2023-22946 – Apache Spark proxy-user privilege escalation from malicious configuration class
https://notcve.org/view.php?id=CVE-2023-22946
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications. • https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv • CWE-269: Improper Privilege Management •
CVE-2022-31777 – Apache Spark XSS vulnerability in log viewer UI Javascript
https://notcve.org/view.php?id=CVE-2022-31777
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en Apache Spark 3.2.1 y anteriores, y 3.3.0, permite a atacantes remotos ejecutar JavaScript arbitrario en el navegador web de un usuario, al incluir un payload malicioso en los registros que serían devuelto en registros representados en la interfaz de usuario. A stored cross-site scripting (XSS) flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI. • http://www.openwall.com/lists/oss-security/2022/11/01/14 https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q https://access.redhat.com/security/cve/CVE-2022-31777 https://bugzilla.redhat.com/show_bug.cgi?id=2145264 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •