CVE-2020-9480

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-9480

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-9480.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-9480

Aliases

Published

2020-06-23T22:15:14Z

Modified

2024-09-03T03:36:02.962008Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

References

Affected packages

Git / github.com/apache/spark

Affected ranges

Type: GIT
Repo: https://github.com/apache/spark
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

cee4ecbb16917fa85f02c635925e2687400aa56b

Affected versions

0.*

0.3-scala-2.8

0.3-scala-2.9

alpha-0.*

alpha-0.1

alpha-0.2

v0.*

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v2.*

v2.4.0

v2.4.0-rc1

v2.4.0-rc2

v2.4.0-rc3

v2.4.0-rc4

v2.4.0-rc5

v2.4.1

v2.4.1-rc1

v2.4.1-rc2

v2.4.1-rc3

v2.4.1-rc4

v2.4.1-rc5

v2.4.1-rc7

v2.4.1-rc8

v2.4.1-rc9

v2.4.2

v2.4.2-rc1

v2.4.3

v2.4.3-rc1

v2.4.4

v2.4.4-rc1

v2.4.4-rc2

v2.4.4-rc3

v2.4.5

v2.4.5-rc1

v2.4.5-rc2