PT-2020-20691 · Apache · Apache Spark

Published

2020-06-23

Updated

2025-10-01

CVE-2020-9480

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Spark versions 2.4.5 and earlier

Description A specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key, when authentication is enabled via a shared secret. This can be leveraged to execute shell commands on the host machine. This issue does not affect Spark clusters using other resource managers, such as YARN or Mesos.

Recommendations For Apache Spark versions 2.4.5 and earlier, consider disabling the authentication feature until a patch is available, or restrict access to the master to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Authentication

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-306

Related Identifiers

BDU:2025-09903

BIT-SPARK-2020-9480

CVE-2020-9480

GHSA-WGX7-JWWM-CGJV

PYSEC-2020-95

Affected Products

Apache Spark

PT-2020-20691 · Apache · Apache Spark

CVE-2020-9480

Weakness Enumeration

Related Identifiers

Affected Products

References · 24