Cyber Resilience

CVE-2020-17519

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 January 2021

Published
05 January 2021
Modified
27 October 2025
KEV Added
23 May 2024
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9433 100.0th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-17519 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Apache Flink. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 contain a path traversal flaw in the JobManager component that exposes the local filesystem to remote reads over the REST interface. The change introduced in 1.11.0 permits requests that retrieve any file readable by the JobManager process, classified under CWE-552 with a CVSS 3.1 score of 7.5 reflecting network attack vector and high confidentiality impact without authentication requirements.

An unauthenticated attacker who can reach an exposed JobManager REST endpoint can issue crafted requests to traverse directories and exfiltrate configuration files, credentials, or other sensitive data stored on the underlying host. Exploitation is limited only by the operating-system permissions of the user account under which the JobManager executes.

Apache security advisories and the associated mailing-list announcements direct operators to upgrade immediately to Flink 1.11.3 or 1.12.0; the correction is tracked in commit b561010b0ee741543c3953306037f00d7a9f0801. Public references also include a Packet Storm entry describing directory-traversal proof-of-concept traffic targeting the affected REST endpoints.

EU & UK References

Vulnerability details

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to…

more

files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

CWE(s)
KEV Date Added
23 May 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
flink
1.11.0 — 1.11.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access restrictions on JobManager REST endpoints so that unauthenticated requests cannot read arbitrary local files.

prevent

Requires validation of user-supplied file paths in REST requests to block the directory-traversal sequences introduced in 1.11.0.

prevent

Restricts network exposure of the JobManager REST interface to only trusted sources, limiting the attack surface for unauthenticated file reads.

References