CVE-2020-17518 - Vulnerability Details

Vendors	Products
Apache	Flink
Redhat	Camel Quarkus Integration Jboss Fuse

Package	CPE	Advisory	Released Date
Red Hat Fuse 7.9
flink	cpe:/a:redhat:jboss_fuse:7	RHSA-2021:3140	2021-08-11T00:00:00Z
Red Hat Integration
flink	cpe:/a:redhat:integration:1	RHSA-2021:3205	2021-08-18T00:00:00Z
Red Hat Integration Camel Quarkus 1
flink	cpe:/a:redhat:camel_quarkus:2	RHSA-2021:3207	2021-08-18T00:00:00Z

Link	Providers
http://www.openwall.com/lists/oss-security/2021/01/05/1
https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E
https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2020-17518
https://www.cve.org/CVERecord?id=CVE-2020-17518

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Apache Flink", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Flink 1.5.1 to 1.11.2"}]}], "credits": [{"lang": "en", "value": "0rich1 of Ant Security FG Lab"}], "descriptions": [{"lang": "en", "value": "Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2024-08-04T14:01:40.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E"}, {"name": "[announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E"}, {"name": "[oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"}, {"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"}, {"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Flink directory traversal attack: remote file writing through the REST API", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-17518", "STATE": "PUBLIC", "TITLE": "Apache Flink directory traversal attack: remote file writing through the REST API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Flink", "version": {"version_data": [{"version_name": "Apache Flink", "version_value": "1.5.1 to 1.11.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "0rich1 of Ant Security FG Lab"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-23 Relative Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E"}, {"name": "[flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E"}, {"name": "[announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cannounce.apache.org%3E"}, {"name": "[oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"}, {"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3@%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa@%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"}, {"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"}, {"name": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:00:48.660Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E"}, {"name": "[announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E"}, {"name": "[oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"}, {"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"}, {"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-17518", "datePublished": "2021-01-05T11:40:13.000Z", "dateReserved": "2020-08-12T00:00:00.000Z", "dateUpdated": "2025-02-13T16:27:34.016Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Apache Flink (string)

vendor : Apache Software Foundation (string)

versions : [ »

0 : { »

status : affected (string)

version : Apache Flink 1.5.1 to 1.11.2 (string)

}

]

}

]

credits : [ »

0 : { »

lang : en (string)

value : 0rich1 of Ant Security FG Lab (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-23 (string)

description : CWE-23 Relative Path Traversal (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2024-08-04T14:01:40.000Z (string)

orgId : f0158376-9dc2-43b6-827c-5f631a4d8d09 (string)

shortName : apache (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

1 : { »

name : [flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

2 : { »

name : [flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E (string)

}

3 : { »

name : [announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E (string)

}

4 : { »

name : [oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : http://www.openwall.com/lists/oss-security/2021/01/05/1 (string)

}

5 : { »

name : [flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E (string)

}

6 : { »

name : [flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E (string)

}

7 : { »

name : [flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E (string)

}

8 : { »

name : [flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E (string)

}

9 : { »

name : [flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E (string)

}

10 : { »

name : [flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E (string)

}

11 : { »

name : [flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E (string)

}

12 : { »

name : [flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E (string)

}

13 : { »

name : [flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E (string)

}

14 : { »

name : [flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E (string)

}

15 : { »

name : [flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E (string)

}

16 : { »

name : [flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E (string)

}

17 : { »

name : [flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E (string)

}

18 : { »

name : [flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E (string)

}

19 : { »

name : [flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E (string)

}

20 : { »

name : [flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E (string)

}

21 : { »

name : [flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E (string)

}

22 : { »

name : [announce] 20210125 Apache Software Foundation Security Report: 2020 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E (string)

}

23 : { »

name : [announce] 20210223 Re: Apache Software Foundation Security Report: 2020 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E (string)

}

24 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E (string)

}

]

source : { »

discovery : UNKNOWN (string)

}

title : Apache Flink directory traversal attack: remote file writing through the REST API (string)

x_generator : { »

engine : Vulnogram 0.0.9 (string)

}

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@apache.org (string)

ID : CVE-2020-17518 (string)

STATE : PUBLIC (string)

TITLE : Apache Flink directory traversal attack: remote file writing through the REST API (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Apache Flink (string)

version : { »

version_data : [ »

0 : { »

version_name : Apache Flink (string)

version_value : 1.5.1 to 1.11.2 (string)

}

]

}

]

}

vendor_name : Apache Software Foundation (string)

}

]

}

credit : [ »

0 : { »

lang : eng (string)

value : 0rich1 of Ant Security FG Lab (string)

}

]

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. (string)

}

]

}

generator : { »

engine : Vulnogram 0.0.9 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-23 Relative Path Traversal (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

refsource : MISC (string)

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

1 : { »

name : [flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E (string)

}

2 : { »

name : [flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E (string)

}

3 : { »

name : [announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cannounce.apache.org%3E (string)

}

4 : { »

name : [oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

refsource : MLIST (string)

url : http://www.openwall.com/lists/oss-security/2021/01/05/1 (string)

}

5 : { »

name : [flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3E (string)

}

6 : { »

name : [flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3@%3Cdev.flink.apache.org%3E (string)

}

7 : { »

name : [flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36@%3Cissues.flink.apache.org%3E (string)

}

8 : { »

name : [flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a@%3Cissues.flink.apache.org%3E (string)

}

9 : { »

name : [flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe@%3Cissues.flink.apache.org%3E (string)

}

10 : { »

name : [flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2@%3Cissues.flink.apache.org%3E (string)

}

11 : { »

name : [flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1@%3Cissues.flink.apache.org%3E (string)

}

12 : { »

name : [flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3E (string)

}

13 : { »

name : [flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73@%3Cissues.flink.apache.org%3E (string)

}

14 : { »

name : [flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433@%3Cissues.flink.apache.org%3E (string)

}

15 : { »

name : [flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b@%3Cissues.flink.apache.org%3E (string)

}

16 : { »

name : [flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d@%3Cissues.flink.apache.org%3E (string)

}

17 : { »

name : [flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9@%3Cissues.flink.apache.org%3E (string)

}

18 : { »

name : [flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7@%3Cissues.flink.apache.org%3E (string)

}

19 : { »

name : [flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc@%3Cissues.flink.apache.org%3E (string)

}

20 : { »

name : [flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3E (string)

}

21 : { »

name : [flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa@%3Cdev.flink.apache.org%3E (string)

}

22 : { »

name : [announce] 20210125 Apache Software Foundation Security Report: 2020 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E (string)

}

23 : { »

name : [announce] 20210223 Re: Apache Software Foundation Security Report: 2020 (string)

refsource : MLIST (string)

url : https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E (string)

}

24 : { »

name : https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E (string)

refsource : MISC (string)

url : https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E (string)

}

]

}

source : { »

discovery : UNKNOWN (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T14:00:48.660Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

1 : { »

name : [flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

2 : { »

name : [flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E (string)

}

3 : { »

name : [announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E (string)

}

4 : { »

name : [oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : http://www.openwall.com/lists/oss-security/2021/01/05/1 (string)

}

5 : { »

name : [flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E (string)

}

6 : { »

name : [flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E (string)

}

7 : { »

name : [flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E (string)

}

8 : { »

name : [flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E (string)

}

9 : { »

name : [flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E (string)

}

10 : { »

name : [flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E (string)

}

11 : { »

name : [flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E (string)

}

12 : { »

name : [flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E (string)

}

13 : { »

name : [flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E (string)

}

14 : { »

name : [flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E (string)

}

15 : { »

name : [flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E (string)

}

16 : { »

name : [flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E (string)

}

17 : { »

name : [flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E (string)

}

18 : { »

name : [flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E (string)

}

19 : { »

name : [flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E (string)

}

20 : { »

name : [flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E (string)

}

21 : { »

name : [flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E (string)

}

22 : { »

name : [announce] 20210125 Apache Software Foundation Security Report: 2020 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E (string)

}

23 : { »

name : [announce] 20210223 Re: Apache Software Foundation Security Report: 2020 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E (string)

}

24 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : f0158376-9dc2-43b6-827c-5f631a4d8d09 (string)

assignerShortName : apache (string)

cveId : CVE-2020-17518 (string)

datePublished : 2021-01-05T11:40:13.000Z (string)

dateReserved : 2020-08-12T00:00:00.000Z (string)

dateUpdated : 2025-02-13T16:27:34.016Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:*", "matchCriteriaId": "080CC731-EB0E-4F46-A9A0-D0AB49C84A83", "versionEndExcluding": "1.11.3", "versionStartIncluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master."}, {"lang": "es", "value": "Apache Flink versi\u00f3n 1.5.1, introdujo un controlador de REST que le permite escribir un archivo cargado en una ubicaci\u00f3n arbitraria en el sistema de archivos local, por medio de un encabezado HTTP modificado maliciosamente.&#xa0;Los archivos se pueden escribir en cualquier ubicaci\u00f3n accesible de Flink versi\u00f3n 1.5.1.&#xa0;Todos los usuarios deben actualizar a Flink versi\u00f3n 1.11.3 o 1.12.0 si sus instancias de Flink est\u00e1n expuestas.&#xa0;El problema se corrigi\u00f3 en el commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 de apache/flink:master"}], "id": "CVE-2020-17518", "lastModified": "2024-11-21T05:08:16.340", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-05T12:15:12.367", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 080CC731-EB0E-4F46-A9A0-D0AB49C84A83 (string)

versionEndExcluding : 1.11.3 (string)

versionStartIncluding : 1.5.1 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. (string)

}

1 : { »

lang : es (string)

value : Apache Flink versión 1.5.1, introdujo un controlador de REST que le permite escribir un archivo cargado en una ubicación arbitraria en el sistema de archivos local, por medio de un encabezado HTTP modificado maliciosamente. Los archivos se pueden escribir en cualquier ubicación accesible de Flink versión 1.5.1. Todos los usuarios deben actualizar a Flink versión 1.11.3 o 1.12.0 si sus instancias de Flink están expuestas. El problema se corrigió en el commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 de apache/flink:master (string)

}

]

id : CVE-2020-17518 (string)

lastModified : 2024-11-21T05:08:16.340 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 5 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:N/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-01-05T12:15:12.367 (string)

references : [ »

0 : { »

source : security@apache.org (string)

tags : [ »

0 : Mailing List (string)

1 : Third Party Advisory (string)

]

url : http://www.openwall.com/lists/oss-security/2021/01/05/1 (string)

}

1 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E (string)

}

2 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E (string)

}

3 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E (string)

}

4 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E (string)

}

5 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E (string)

}

6 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E (string)

}

7 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E (string)

}

8 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E (string)

}

9 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E (string)

}

10 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E (string)

}

11 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E (string)

}

12 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E (string)

}

13 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E (string)

}

14 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E (string)

}

15 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E (string)

}

16 : { »

source : security@apache.org (string)

tags : [ »

0 : Mailing List (string)

1 : Vendor Advisory (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

17 : { »

source : security@apache.org (string)

tags : [ »

0 : Mailing List (string)

1 : Vendor Advisory (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

18 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E (string)

}

19 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E (string)

}

20 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E (string)

}

21 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E (string)

}

22 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E (string)

}

23 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E (string)

}

24 : { »

source : security@apache.org (string)

url : https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E (string)

}

25 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Third Party Advisory (string)

]

url : http://www.openwall.com/lists/oss-security/2021/01/05/1 (string)

}

26 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E (string)

}

27 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E (string)

}

28 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E (string)

}

29 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E (string)

}

30 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E (string)

}

31 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E (string)

}

32 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E (string)

}

33 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E (string)

}

34 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E (string)

}

35 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E (string)

}

36 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E (string)

}

37 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E (string)

}

38 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E (string)

}

39 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E (string)

}

40 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E (string)

}

41 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Vendor Advisory (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

42 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Vendor Advisory (string)

]

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E (string)

}

43 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E (string)

}

44 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E (string)

}

45 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E (string)

}

46 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E (string)

}

47 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E (string)

}

48 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E (string)

}

49 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E (string)

}

]

sourceIdentifier : security@apache.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-23 (string)

}

]

source : security@apache.org (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-22 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"affected_release": [{"advisory": "RHSA-2021:3140", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "flink", "product_name": "Red Hat Fuse 7.9", "release_date": "2021-08-11T00:00:00Z"}, {"advisory": "RHSA-2021:3205", "cpe": "cpe:/a:redhat:integration:1", "package": "flink", "product_name": "Red Hat Integration", "release_date": "2021-08-18T00:00:00Z"}, {"advisory": "RHSA-2021:3207", "cpe": "cpe:/a:redhat:camel_quarkus:2", "impact": "moderate", "package": "flink", "product_name": "Red Hat Integration Camel Quarkus 1", "release_date": "2021-08-18T00:00:00Z"}], "bugzilla": {"description": "apache-flink: directory traversal attack allows remote file writing through the REST API", "id": "1913312", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1913312"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master."], "name": "CVE-2020-17518", "public_date": "2021-01-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-17518\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-17518"], "threat_severity": "Moderate"}

{

affected_release : [ »

0 : { »

advisory : RHSA-2021:3140 (string)

cpe : cpe:/a:redhat:jboss_fuse:7 (string)

package : flink (string)

product_name : Red Hat Fuse 7.9 (string)

release_date : 2021-08-11T00:00:00Z (string)

}

1 : { »

advisory : RHSA-2021:3205 (string)

cpe : cpe:/a:redhat:integration:1 (string)

package : flink (string)

product_name : Red Hat Integration (string)

release_date : 2021-08-18T00:00:00Z (string)

}

2 : { »

advisory : RHSA-2021:3207 (string)

cpe : cpe:/a:redhat:camel_quarkus:2 (string)

impact : moderate (string)

package : flink (string)

product_name : Red Hat Integration Camel Quarkus 1 (string)

release_date : 2021-08-18T00:00:00Z (string)

}

]

bugzilla : { »

description : apache-flink: directory traversal attack allows remote file writing through the REST API (string)

id : 1913312 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=1913312 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.5 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (string)

status : verified (string)

}

cwe : CWE-22 (string)

details : [ »

0 : Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. (string)

]

name : CVE-2020-17518 (string)

public_date : 2021-01-05T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2020-17518 https://nvd.nist.gov/vuln/detail/CVE-2020-17518 (string)

]

threat_severity : Moderate (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object