In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2020-06-23T21:50:51
Updated: 2024-08-04T10:26:16.324Z
Reserved: 2020-03-01T00:00:00
Link: CVE-2020-9480
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-06-23T22:15:14.137
Modified: 2024-11-21T05:40:43.943
Link: CVE-2020-9480
Redhat