CVE-2020-9480
Description
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Spark 2.4.5 and earlier allow authentication bypass in the standalone resource manager master, enabling remote code execution.
In Apache Spark 2.4.5 and earlier, the standalone resource manager's master supports optional authentication (spark.authenticate) via a shared secret. A flaw in the RPC handling allows a specially-crafted request to succeed in starting application resources even without the correct shared key. This is a missing authentication check for RPCs that should require the shared secret.
To exploit this, an attacker must be able to send RPCs to the Spark master's port. No prior authentication is needed. The attack does not require any user interaction and can be performed remotely if the master endpoint is accessible. This vulnerability only affects clusters using the standalone resource manager; clusters using YARN, Mesos, or Kubernetes are not impacted.
A successful attack allows the attacker to start a Spark application on the cluster. Because Spark applications are designed to execute arbitrary code on the workers, this results in remote code execution on the host machines. An attacker can run shell commands, access local files, and establish network connections from the compromised worker node.
The Apache Spark project has addressed this issue in Spark 2.4.6 by enforcing authentication checks for the vulnerable RPCs [1]. Users should upgrade to Spark 2.4.6 or later. As a workaround, users of earlier versions can restrict network access to the master endpoint to trusted networks only [1]. The vulnerability is also tracked in the PyPA advisory database for PySpark [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.spark:spark-parent_2.11Maven | < 2.4.6 | 2.4.6 |
pysparkPyPI | < 2.4.6 | 2.4.6 |
Affected products
4- osv-coords3 versions
< 2.4.6+ 2 more
- (no CPE)range: < 2.4.6
- (no CPE)range: < 2.4.6
- (no CPE)range: < 2.4.6
- Apache Software Foundation/Apache Sparkv5Range: Apache Spark 2.4.5 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-wgx7-jwwm-cgjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-9480ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2020-95.yamlghsaWEB
- lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b@%3Cuser.spark.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b@%3Ccommits.doris.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d@%3Ccommits.submarine.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2@%3Cdev.spark.apache.org%3EghsaWEB
- spark.apache.org/security.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.