5
CVSSv2

CVE-2020-17519

Published: 05/01/2021 Updated: 15/01/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows malicious users to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache flink

Mailing Lists

This Metasploit module exploits an unauthenticated directory traversal vulnerability in Apache Flink version 1110 ...
CVE-2020-17519: Apache Flink directory traversal attack: reading remote files through the REST API Vendor: The Apache Software Foundation Versions Affected: 1110, 1111, 1112 Description: A change introduced in Apache Flink 1110 (and released in 1111 and 1112 as well) allows attackers to read any file on the local filesystem of the Jo ...

Github Repositories

[CVE-2020-17519] Apache Flink RESTful API Arbitrary File Read

[CVE-2020-17519] Apache Flink RESTful API Arbitrary File Read Apache Flink is a framework and distributed processing engine for stateful computations over unbounded and bounded data streams which developed using Java and Scala A change introduced in Apache Flink 1110 (and released in 1111 and 1112 as well) allows attackers to read any file on the local filesystem of the

CVE-2020-17519

Apache Flink 目录遍历漏洞批量检测 (CVE-2020-17519)

使用方法&免责声明 该脚本为Apache Flink 目录遍历漏洞批量检测 (CVE-2020-17519)。 使用方法:Python CVE-2020-17519py urlstxt urlstxt 中每个url为一行,漏洞地址输出在vultxt中 影响版本: Apache Flink 1110、1111、1112 工具仅用于安全人员安全测试,任何未授权检测造成的直接或者间接的后果及

Apache Flink未授权访问上传导致的RCE漏洞 | apache flink unauthorized upload rce

apache-flink-unauthorized-upload-rce-CVE-2020-17519 Apache Flink未授权访问上传导致的RCE漏洞 | apache flink unauthorized upload rce | CVE-2020-17519 简单用法 python3 scriptpy ip port command 漏洞详细信息 Apache Flink 控制台默认情况下存在未授权访问 在Submit New Job处可添加上传jar包并在服务端执行 如果上传恶意的jar包,

记录在漏洞复现/研究过程中编写的 Poc/Exp

Poc-Exp 记录在漏洞复现/研究过程中编写的 PoC/Exp # Poc框架 pocsuite3 Apache Flink cve-2020-17518(Apache Flink 目录遍历/文件写入漏洞-Upload) 2021-01-06 cve-2020-17519(Apache Flink 目录遍历/文件读取漏洞-jobmanager/logs) 2021-01-06 Citrix cve-2020-8209(Citrix XenMobile 目录遍历/任意文件读取漏洞) Confluence cve-2019-3396(Atla

References

CWE-552http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.htmlhttp://www.openwall.com/lists/oss-security/2021/01/05/2https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2@%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3Ehttps://github.com/murataydemir/CVE-2020-17519https://nvd.nist.govhttps://exchange.xforce.ibmcloud.com/vulnerabilities/194212