In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
Metrics
Affected Vendors & Products
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2024-08-04T10:26:16.324Z
Reserved: 2020-03-01T00:00:00
Link: CVE-2020-9480

No data.

Status : Modified
Published: 2020-06-23T22:15:14.137
Modified: 2024-11-21T05:40:43.943
Link: CVE-2020-9480


No data.