CVE-2020-9480 in Apache and Oracle Products
Published on June 23, 2020
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
Products Associated with CVE-2020-9480
stack.watch emails you whenever new vulnerabilities are published in Apache Spark or Oracle Business Intelligence. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Spark Version Apache Spark 2.4.5 and earlier is affected by CVE-2020-9480Exploit Probability
EPSS
93.18%
Percentile
99.79%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.