CVE-2020-9480
Summary
| CVE | CVE-2020-9480 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-06-23 22:15:00 UTC |
| Updated | 2023-11-07 03:26:00 UTC |
| Description | In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). |
Risk And Classification
Problem Types: CWE-306
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Spark | All | All | All | All |
| Application | Oracle | Business Intelligence | 5.5.0.0.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Security | Apache Spark | CONFIRM | spark.apache.org | Vendor Advisory |
| [doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5593: [FE][Bug] Update Spark version to fix a security issue | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.