{"containers": {"cna": {"affected": [{"product": "Apache Flink", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Flink 1.11.0 to 1.11.2"}]}], "credits": [{"lang": "en", "value": "0rich1 of Ant Security FG Lab"}], "descriptions": [{"lang": "en", "value": "A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "description": "CWE-552 Files or Directories Accessible to External Parties", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2024-06-04T18:41:23.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-user] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3E"}, {"name": "[flink-dev] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3E"}, {"name": "[oss-security] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/01/05/2"}, {"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html"}, {"name": "[flink-issues] 20210110 [jira] [Updated] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210111 [jira] [Assigned] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210111 [jira] [Commented] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"}, {"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Flink directory traversal attack: reading remote files through the REST API", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-17519", "STATE": "PUBLIC", "TITLE": "Apache Flink directory traversal attack: reading remote files through the REST API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Flink", "version": {"version_data": [{"version_affected": "=", "version_name": "Apache Flink", "version_value": "1.11.0 to 1.11.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "0rich1 of Ant Security FG Lab"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-552 Files or Directories Accessible to External Parties"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-user] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3E"}, {"name": "[flink-dev] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cannounce.apache.org%3E"}, {"name": "[oss-security] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/01/05/2"}, {"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3E"}, {"name": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html"}, {"name": "[flink-issues] 20210110 [jira] [Updated] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2@%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210111 [jira] [Assigned] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210111 [jira] [Commented] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d@%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"}, {"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"}, {"name": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-17519", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-24T13:06:18.393321Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-05-23", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:flink:1.11.0:-:*:*:*:*:*:*"], "vendor": "apache", "product": "flink", "versions": [{"status": "affected", "version": "1.11.0", "versionType": "semver", "lessThanOrEqual": "1.11.2"}], "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2024-05-23T00:00:00+00:00", "value": "CVE-2020-17519 added to CISA KEV"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:12:21.925Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:00:48.269Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-user] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3E"}, {"name": "[flink-dev] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3E"}, {"name": "[oss-security] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/01/05/2"}, {"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html"}, {"name": "[flink-issues] 20210110 [jira] [Updated] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-issues] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210111 [jira] [Assigned] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-issues] 20210111 [jira] [Commented] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3Cissues.flink.apache.org%3E"}, {"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"}, {"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"}, {"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"}, {"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-17519", "datePublished": "2021-01-05T11:40:14.000Z", "dateReserved": "2020-08-12T00:00:00.000Z", "dateUpdated": "2025-02-13T16:27:34.617Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3E", "name": "[flink-user] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3E", "name": "[announce] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/01/05/2", "name": "[oss-security] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210110 [jira] [Updated] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210111 [jira] [Assigned] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210111 [jira] [Commented] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E", "name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E", "name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:00:48.269Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-17519", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-24T13:06:18.393321Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-05-23", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:flink:1.11.0:-:*:*:*:*:*:*"], "vendor": "apache", "product": "flink", "versions": [{"status": "affected", "version": "1.11.0", "versionType": "semver", "lessThanOrEqual": "1.11.2"}], "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2024-05-23T00:00:00+00:00", "value": "CVE-2020-17519 added to CISA KEV"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-22T17:13:42.620Z"}}], "cna": {"title": "Apache Flink directory traversal attack: reading remote files through the REST API", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "0rich1 of Ant Security FG Lab"}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Flink", "versions": [{"status": "affected", "version": "Apache Flink 1.11.0 to 1.11.2"}]}], "references": [{"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3E", "name": "[flink-user] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3E", "name": "[announce] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/01/05/2", "name": "[oss-security] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210110 [jira] [Updated] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210111 [jira] [Assigned] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210111 [jira] [Commented] (FLINK-20916) Typo in test for CVE-2020-17519", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E", "name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E", "name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552 Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2021-03-02T05:06:36"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "0rich1 of Ant Security FG Lab"}], "source": {"discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "Apache Flink", "version_value": "1.11.0 to 1.11.2", "version_affected": "="}]}, "product_name": "Apache Flink"}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E", "name": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E", "refsource": "MISC"}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3E", "name": "[flink-user] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cannounce.apache.org%3E", "name": "[announce] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "refsource": "MLIST"}, {"url": "http://www.openwall.com/lists/oss-security/2021/01/05/2", "name": "[oss-security] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink", "refsource": "MLIST"}, {"url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html", "name": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html", "refsource": "MISC"}, {"url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210110 [jira] [Updated] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2@%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210111 [jira] [Assigned] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20210111 [jira] [Commented] (FLINK-20916) Typo in test for CVE-2020-17519", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E", "name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E", "name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E", "name": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-552 Files or Directories Accessible to External Parties"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-17519", "STATE": "PUBLIC", "TITLE": "Apache Flink directory traversal attack: reading remote files through the REST API", "ASSIGNER": "security@apache.org"}}}}, "cveMetadata": {"cveId": "CVE-2020-17519", "state": "PUBLISHED", "dateUpdated": "2024-08-04T14:00:48.269Z", "dateReserved": "2020-08-12T00:00:00", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2021-01-05T11:40:14", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cisaActionDue": "2024-06-13", "cisaExploitAdd": "2024-05-23", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Apache Flink Improper Access Control Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:*", "matchCriteriaId": "17DBFDC8-023D-4816-97AB-88F17ABB2CFC", "versionEndExcluding": "1.11.3", "versionStartIncluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master."}, {"lang": "es", "value": "Un cambio introducido en Apache Flink versi\u00f3n 1.11.0 (y lanzado en versiones 1.11.1 y 1.11.2 tambi\u00e9n) permite a atacantes leer cualquier archivo en el sistema de archivos local de JobManager por medio de la interfaz REST del proceso JobManager. El acceso est\u00e1 restringido a los archivos accesibles por medio del proceso de JobManager. Todos los usuarios deben actualizar a Flink versi\u00f3n 1.11.3 o 1.12.0 si sus instancias de Flink est\u00e1n expuestas. El problema se corrigi\u00f3 en el commit b561010b0ee741543c3953306037f00d7a9f0801 de apache/flink:master"}], "id": "CVE-2020-17519", "lastModified": "2025-02-13T16:47:51.753", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-01-05T12:15:12.680", "references": [{"source": "security@apache.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/01/05/2"}, {"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3Cissues.flink.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Not Applicable"], "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/01/05/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cuser.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3Cissues.flink.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "apache-flink: directory traversal attack allows reading remote files through the REST API", "id": "1913317", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1913317"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-552", "details": ["A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master."], "name": "CVE-2020-17519", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "camel-flink", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "camel-flink", "product_name": "Red Hat Integration Camel K"}], "public_date": "2021-01-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-17519\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-17519\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "threat_severity": "Moderate"}