A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
References
Link Providers
http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html cve-icon cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2021/01/05/2 cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3Cissues.flink.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2020-17519 cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cve.org/CVERecord?id=CVE-2020-17519 cve-icon
History

Wed, 14 Aug 2024 01:00:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-01-05T11:40:14

Updated: 2024-08-04T14:00:48.269Z

Reserved: 2020-08-12T00:00:00

Link: CVE-2020-17519

cve-icon Vulnrichment

Updated: 2024-08-04T14:00:48.269Z

cve-icon NVD

Status : Modified

Published: 2021-01-05T12:15:12.680

Modified: 2024-11-21T05:08:16.523

Link: CVE-2020-17519

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-01-05T00:00:00Z

Links: CVE-2020-17519 - Bugzilla