CVE-2020-9480

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Apache Spark
Vendor
CVE Published:
23 June 2020

Summary

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Affected Version(s)

Apache Spark Apache Spark 2.4.5 and earlier

References

https://spark.apache.org/security.html#CVE-2020-9480
x_refsource_CONFIRM
https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/ree9e87aae8185233029...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.