Miggo Logo

CVE-2020-9480: Improper Authentication in Apache Spark

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99074%
Published
2/10/2022
Updated
10/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.spark:spark-parent_2.11maven<= 2.4.52.4.6
pysparkpip< 2.4.62.4.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the standalone master's RPC handling where authentication checks were missing. The Master.receive() method is the main entry point for RPC messages, and methods like handleRegisterApplication would process application submissions. The CVE description explicitly states authentication bypass in application resource startup RPCs, indicating missing auth checks in these message handlers. While exact patch details aren't shown, the Spark security advisory and architecture analysis confirm these are the critical authentication points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** Sp*rk *.*.* *n* **rli*r, * st*n**lon* r*sour** m*n***r's m*st*r m*y ** *on*i*ur** to r*quir* *ut**nti**tion (sp*rk.*ut**nti**t*) vi* * s**r** s**r*t. W**n *n**l**, *ow*v*r, * sp**i*lly-*r**t** RP* to t** m*st*r **n su***** in st*rtin* *n *p

Reasoning

T** vuln*r**ility *xists in t** st*n**lon* m*st*r's RP* **n*lin* w**r* *ut**nti**tion ****ks w*r* missin*. T** `M*st*r.r***iv*()` m*t*o* is t** m*in *ntry point *or RP* m*ss***s, *n* m*t*o*s lik* **n*l*R**ist*r*ppli**tion woul* pro**ss *ppli**tion su