CVE-2020-9480

CRITICAL EXPLOITED IN THE WILD NUCLEI

Apache Spark <= 2.4.5 - Unauthenticated Remote Code Execution via Standalone Resource Manager

Title source: llm

Exploitation Summary

CVE-2020-9480 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including XiaoShaYu617. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-9480, targeting Apache Spark's pre-authentication remote code execution vulnerability. The exploit leverages the Spark REST API to submit a malicious job, executing arbitrary commands on the target system.

Description

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Exploits (1)

nomisec WORKING POC

by XiaoShaYu617 · poc

https://github.com/XiaoShaYu617/CVE-2020-9480

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-9480, targeting Apache Spark's pre-authentication remote code execution vulnerability. The exploit leverages the Spark REST API to submit a malicious job, executing arbitrary commands on the target system.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Spark <=2.4.5

No auth needed

Prerequisites: Network access to the Spark REST API endpoint · Spark cluster configured to accept remote submissions

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Apache Spark - Authentication Bypass

CRITICALVERIFIEDby riteshs4hu

FOFA: port="6066" && banner="Spark Master"

References (6)

Core 6

Core References

Vendor Advisory x_refsource_confirm

https://spark.apache.org/security.html#CVE-2020-9480

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuApr2021.html

Scores

CVSS v3 9.8

EPSS 0.8827

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-05-10

InTheWild.io 2024-05-17

CWE

CWE-306

Status published

Products (4)

apache/spark < 2.4.5

oracle/business_intelligence 5.5.0.0.0

org.apache.spark/spark-parent_2.11 0 - 2.4.6Maven

pypi/pyspark 0 - 2.4.6PyPI

Published Jun 23, 2020

Tracked Since Feb 18, 2026