CISA Warns of Actively Exploited Apache Flink Vulnerability

In early 2021, an access control flaw in Apache Flink was rectified, which has now been added to the CISA KEV catalog. This signifies that cybercriminals are actively exploiting the vulnerability to compromise targets.

Apache Flink is an open-source platform for stream and batch data processing, maintained by the Apache Software Foundation.


CVE-2020-17519 (CVSS score: 7.5) pertains to improper access control, allowing an attacker to read any file in the local file system of the JobManager via the REST interface. The vulnerability affects Apache Flink version 1.11.0 (and the subsequent 1.11.1 and 1.11.2 releases).

Apache fixed the vulnerability in versions 1.11.3 and 1.12.0. Shortly thereafter, security researchers published proof-of-concept code. Yet, by May 2024, federal agencies and other organizations were still using insecure versions, with criminals actively exploiting the vulnerability.

CISA has not provided detailed information about the vulnerability and instances of exploitation. In the database, the status of the flaw is marked as “unknown,” indicating that it is currently unclear who is exploiting the flaw and for what purpose. Despite this, Palo Alto Networks’ Unit 42 division warned of widespread abuse from November 2020 to January 2021.

The inclusion of the flaw in the catalog mandates federal agencies to either patch the vulnerability or cease using the tool entirely by June 13. Other software users must ensure they have applied the necessary updates. It is also recommended to check if the system has been compromised via this vulnerability. Although active exploitation has only recently come to light, it could have been exploited earlier.