Critical severityNVD Advisory· Published Jun 23, 2020· Updated Aug 4, 2024
CVE-2020-9480
CVE-2020-9480
Description
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.spark:spark-parent_2.11Maven | < 2.4.6 | 2.4.6 |
pysparkPyPI | < 2.4.6 | 2.4.6 |
Affected products
4- osv-coords3 versions
< 2.4.6+ 2 more
- (no CPE)range: < 2.4.6
- (no CPE)range: < 2.4.6
- (no CPE)range: < 2.4.6
- Apache Software Foundation/Apache Sparkv5Range: Apache Spark 2.4.5 and earlier
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-wgx7-jwwm-cgjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-9480ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2020-95.yamlghsaWEB
- lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b@%3Cuser.spark.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b@%3Ccommits.doris.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d@%3Ccommits.submarine.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2@%3Cdev.spark.apache.org%3EghsaWEB
- spark.apache.org/security.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.