CVE-2020-9480

2020-06-2322:15:14

CWE-306

[email protected]

web.nvd.nist.gov

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.03

Percentile

90.9%

JSON

In Apache Spark 2.4.5 and earlier, a standalone resource manager’s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application’s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Affected configurations

Nvd

Node

apachesparkRange≤2.4.5

Node

oraclebusiness_intelligenceMatch5.5.0.0.0enterprise

VendorProductVersionCPE
apachespark*cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
oraclebusiness_intelligence5.5.0.0.0cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*

Vendor	Product	Version	CPE
apache	spark	*	cpe:2.3:a:apache:spark::::::::
oracle	business_intelligence	5.5.0.0.0	cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0::::enterprise:::