CVE-2020-9480 — CRITICAL (9.8)

Q: How severe is CVE-2020-9480?

CVE-2020-9480 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-9480?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Spark, Oracle Business Intelligence.

Vulnerability Description

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Spark	<= 2.4.5
Oracle	Business Intelligence	5.5.0.0.0

Related Weaknesses (CWE)

CWE-306

References

FAQ

What is CVE-2020-9480?

CVE-2020-9480 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-craft...

How severe is CVE-2020-9480?

CVE-2020-9480 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-9480?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Spark, Oracle Business Intelligence.