Remote Code Execution (RCE)

Affecting org.apache.spark:spark-network-common_2.10 artifact, versions [0,]

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.apache.spark:spark-network-common_2.10 is an open-source distributed general-purpose cluster-computing framework.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). A standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Remediation

There is no fixed version for org.apache.spark:spark-network-common_2.10.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Ayoub Elaassal
CVE
CVE-2020-9480
CWE
CWE-94
Snyk ID
SNYK-JAVA-ORGAPACHESPARK-573167
Disclosed
24 Jun, 2020
Published
24 Jun, 2020