QID 730426
Date Published: 2022-04-07
QID 730426: Apache Flink Arbitrary File Read Vulnerability
Apache Flink is an open-source, unified stream-processing and batch-processing framework developed by the Apache Software Foundation. The core of Apache Flink is a distributed streaming data-flow engine written in Java and Scala. Flink executes arbitrary dataflow programs in a data-parallel and pipelined (hence task parallel) manner.
CVE-2020-17519: A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.
Affected Versions:
Apache Flink versions from 1.11.0 prior to 1.11.3
QID Detection Logic (Unauthenticated):
This QID sends a GET request to grab the value of 'flink-version' from the source code, and checks if the version is vulnerable or not.
Successful exploitation of this vulnerability may allow an unauthenticated remote attacker to read arbitrary file on the system using directory traversal attack.
- Apache Flink Advisory -
lists.apache.org/thread/l5r1k1f2s4qjjyl1p6wt6sqzcwomkfmk
CVEs related to QID 730426
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Apache Flink Advisory |
|