CVE-2020-9480

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-9480
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-9480.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-9480
Aliases
Published
2020-06-23T22:15:14Z
Modified
2024-10-12T06:41:53.329274Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

References

Affected packages

Git / github.com/apache/spark

Affected ranges

Type
GIT
Repo
https://github.com/apache/spark
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

0.*

0.3-scala-2.8
0.3-scala-2.9

alpha-0.*

alpha-0.1
alpha-0.2

v0.*

v0.5.0
v0.5.1
v0.6.0
v0.7.0

v2.*

v2.4.0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.4.0-rc4
v2.4.0-rc5
v2.4.1
v2.4.1-rc1
v2.4.1-rc2
v2.4.1-rc3
v2.4.1-rc4
v2.4.1-rc5
v2.4.1-rc7
v2.4.1-rc8
v2.4.1-rc9
v2.4.2
v2.4.2-rc1
v2.4.3
v2.4.3-rc1
v2.4.4
v2.4.4-rc1
v2.4.4-rc2
v2.4.4-rc3
v2.4.5
v2.4.5-rc1
v2.4.5-rc2