CVE-2020-17518 & CVE-2020-17519: Apache Flink Directory Traversal Vulnerabilities Alert

The Apache mailing list archives published two vulnerability (CVE-2020-17518 & CVE-2020-17519) reports. These vulnerabilities were submitted by the Ant Security FG Lab. Attackers can read and write remote files through the REST API and perform directory traversal attacks.

Vulnerability Detail

CVE-2020-17518

Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1.

CVE-2020-17519

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.

Affected version

  • Apache Flink 1.5.1 – 1.11.2

Unaffected version

  • Apache Flink 1.12.0 & 1.11.3

Solution

Currently, Apache Flink has released a security version to fix this vulnerability, and it is recommended that affected users upgrade to version 1.12.0 or 1.11.3 in time.