Is CVE-2020-9480 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Spark

CVE-2020-9480

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in sta…

EPSS: 0.883 (99.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Spark — versions Apache Spark 2.4.5 and earlier

Public proof-of-concept exploits

References

spark.apache.org/security.html (x_refsource_CONFIRM)
[spark-user] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master (mailing-list, x_refsource_MLIST)
[spark-dev] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master (mailing-list, x_refsource_MLIST)
[submarine-commits] 20201209 [GitHub] [submarine] QiAnXinCodeSafe opened a new issue #475: There is a vulnerability in Apache Spark 2.3.4,upgrade recommended (mailing-list, x_refsource_MLIST)
[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5593: [FE][Bug] Update Spark version to fix a security issue (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpuApr2021.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-9480?: CVE-2020-9480 is a vulnerability in Apache Software Foundation Spark. Published 2020-06-23.
Is CVE-2020-9480 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.