CVE-2020-9480

 

Published at: - 24-06-2020 12:15

Last modified: - 26-04-2022 07:06

Total changes: - 5

Description

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://spark.apache.org/security.html#CVE-2020-9480
• [spark-dev] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master-Mailing List, Vendor Advisory
• [spark-user] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master-Mailing List, Vendor Advisory
• [submarine-commits] 20201209 [GitHub] [submarine] QiAnXinCodeSafe opened a new issue #475: There is a vulnerability in Apache Spark 2.3.4,upgrade recommended-Exploit, Mailing List, Vendor Advisory
• [doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5593: [FE][Bug] Update Spark version to fix a security issue-Mailing List, Vendor Advisory
• https://www.oracle.com/security-alerts/cpuApr2021.html

 

Keywords

NVD

 

CVE-2020-9480

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures