VulnerableCode Package Details - pkg:pypi/pyspark@3.3.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-1hnx-b71k-mqat Aliases: BIT-spark-2023-22946 CVE-2023-22946 GHSA-329j-jfvr-rhr6 PYSEC-2023-44	In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.	3.4.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1hnx-b71k-mqat
Aliases:
BIT-spark-2023-22946
CVE-2023-22946
GHSA-329j-jfvr-rhr6
PYSEC-2023-44

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.

3.4.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1hnx-b71k-mqat	In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.	BIT-spark-2023-22946 CVE-2023-22946 GHSA-329j-jfvr-rhr6 PYSEC-2023-44

Vulnerability

Summary

Aliases

VCID-1hnx-b71k-mqat

BIT-spark-2023-22946
CVE-2023-22946
GHSA-329j-jfvr-rhr6
PYSEC-2023-44

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:27:03.808678+00:00	GitLab Importer	Fixing	VCID-1hnx-b71k-mqat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pyspark/CVE-2023-22946.yml	38.4.0
2026-04-11T23:45:24.303780+00:00	GitLab Importer	Fixing	VCID-1hnx-b71k-mqat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pyspark/CVE-2023-22946.yml	38.3.0
2026-04-02T23:49:01.895315+00:00	GitLab Importer	Fixing	VCID-1hnx-b71k-mqat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pyspark/CVE-2023-22946.yml	38.1.0
2026-04-02T16:59:20.478543+00:00	GHSA Importer	Fixing	VCID-1hnx-b71k-mqat	https://github.com/advisories/GHSA-329j-jfvr-rhr6	38.1.0
2026-04-01T15:13:57.471006+00:00	PyPI Importer	Affected by	VCID-1hnx-b71k-mqat	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.0.0
2026-04-01T12:57:33.792343+00:00	GithubOSV Importer	Fixing	VCID-1hnx-b71k-mqat	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-329j-jfvr-rhr6/GHSA-329j-jfvr-rhr6.json	38.0.0
2026-04-01T12:51:09.884704+00:00	GitLab Importer	Fixing	VCID-1hnx-b71k-mqat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pyspark/CVE-2023-22946.yml	38.0.0
2026-04-01T12:48:13.700480+00:00	Pypa Importer	Affected by	VCID-1hnx-b71k-mqat	https://github.com/pypa/advisory-database/blob/main/vulns/pyspark/PYSEC-2023-44.yaml	38.0.0