CVE-2020-17519
Published: 05 January 2021
Summary
CVE-2020-17519 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Apache Flink. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 contain a path traversal flaw in the JobManager component that exposes the local filesystem to remote reads over the REST interface. The change introduced in 1.11.0 permits requests that retrieve any file readable by the JobManager process, classified under CWE-552 with a CVSS 3.1 score of 7.5 reflecting network attack vector and high confidentiality impact without authentication requirements.
An unauthenticated attacker who can reach an exposed JobManager REST endpoint can issue crafted requests to traverse directories and exfiltrate configuration files, credentials, or other sensitive data stored on the underlying host. Exploitation is limited only by the operating-system permissions of the user account under which the JobManager executes.
Apache security advisories and the associated mailing-list announcements direct operators to upgrade immediately to Flink 1.11.3 or 1.12.0; the correction is tracked in commit b561010b0ee741543c3953306037f00d7a9f0801. Public references also include a Packet Storm entry describing directory-traversal proof-of-concept traffic targeting the affected REST endpoints.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-0481
Vulnerability details
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to…
more
files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
- CWE(s)
- KEV Date Added
- 23 May 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access restrictions on JobManager REST endpoints so that unauthenticated requests cannot read arbitrary local files.
Requires validation of user-supplied file paths in REST requests to block the directory-traversal sequences introduced in 1.11.0.
Restricts network exposure of the JobManager REST interface to only trusted sources, limiting the attack surface for unauthenticated file reads.