CVE-2020-9480

CRITICAL EXPLOITED IN THE WILD NUCLEI

Apache Spark < 2.4.5 - Missing Authentication

Title source: rule

Description

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Exploits (1)

nomisec WORKING POC

by XiaoShaYu617 · poc

https://github.com/XiaoShaYu617/CVE-2020-9480

View Code ZIP pw:eip

Nuclei Templates (1)

Apache Spark - Authentication Bypass

CRITICALVERIFIEDby riteshs4hu

FOFA: port="6066" && banner="Spark Master"

References (6)

[Vendor Advisory] https://spark.apache.org/security.html#CVE-2020-9480

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Mailing List] https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.9055

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-05-10

InTheWild.io 2024-05-17

CWE

CWE-306

Status published

Products (4)

apache/spark < 2.4.5

oracle/business_intelligence 5.5.0.0.0

org.apache.spark/spark-parent_2.11 0 - 2.4.6Maven

pypi/pyspark 0 - 2.4.6PyPI

Published Jun 23, 2020

Tracked Since Feb 18, 2026