The Apache mailing list archives published two vulnerability (CVE-2020-17518 & CVE-2020-17519) reports. These vulnerabilities were submitted by the Ant Security FG Lab. Attackers can read and write remote files through the REST API and perform directory traversal attacks.
Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1.
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.
- Apache Flink 1.5.1 – 1.11.2
- Apache Flink 1.12.0 & 1.11.3
Currently, Apache Flink has released a security version to fix this vulnerability, and it is recommended that affected users upgrade to version 1.12.0 or 1.11.3 in time.