CVE-2020-9480 Information

Feb 14, 2021 cve

Description

In Apache Spark 2.4.5 and earlier a standalone resource manager’s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled however a specially-crafted RPC to the master can succeed in starting an application’s resources on the Spark cluster even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN Mesos etc).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b@3Cuser.spark.apache.org3E https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2@3Cdev.spark.apache.org3E https://spark.apache.org/security.htmlCVE-2020-9480

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: