CVE-2020-17519
Apache Flink directory traversal attack: reading remote files through the REST API
In short
Apache Flink versions 1.11.0 through 1.11.2 contain a flaw that lets attackers read any file on the server's disk through the JobManager's REST API. This bypasses normal file access restrictions and could expose sensitive data.
Technical detail
A directory traversal vulnerability in Apache Flink 1.11.0–1.11.2 allows unauthenticated or low-privileged attackers to enumerate and read arbitrary files accessible by the JobManager process via the REST API endpoint. The vulnerability has no authentication requirement and permits disclosure of sensitive configuration files, credentials, and application data.
Summary generated and translated by AI from the official description.
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Affected products
Apache Software Foundation · Apache Flinkpublic PoCs found — 15
githubgithub.com/MrCl0wnLab/SimplesApachePathTraversal★ 62githubgithub.com/B1anda0/CVE-2020-17519★ 48githubgithub.com/murataydemir/CVE-2020-17519★ 8githubgithub.com/dolevf/apache-flink-directory-traversal.nse★ 3githubgithub.com/givemefivw/CVE-2020-17519★ 1githubgithub.com/yaunsky/CVE-2020-17519-Apache-Flink★ 1githubgithub.com/QmF0c3UK/CVE-2020-17519★ 1githubgithub.com/GazettEl/CVE-2020-17519★ 0githubgithub.com/dev-team-12x/CVE-2020-17519★ 0githubgithub.com/radbsie/CVE-2020-17519-Exp★ 0githubgithub.com/Osyanina/westone-CVE-2020-17519-scanner★ 0githubgithub.com/zhangweijie11/CVE-2020-17519★ 0githubgithub.com/shoucheng3/apache__flink_CVE-2020-17519_1-11-2★ 0exploitdbwww.exploit-db.com/exploits/49398unverifiedcve_referencepacketstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.htmlhttps://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E