What is CVE-2020-17519?

CVE-2020-17519 is a vulnerability in Apache Software Foundation Flink, classified under Files or Directories Accessible to External Parties. Published 2021-01-05.

Is CVE-2020-17519 known to be exploited?

Yes. CVE-2020-17519 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-05-23), indicating it is being actively exploited. 120 public proof-of-concept repositories are indexed.

Vulnerability in Apache Software Foundation Flink

CVE-2020-17519

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted t…

EPSS: 0.943 (100.0th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Flink — versions Apache Flink 1.11.0 to 1.11.2

Weakness classification (CWE)

CWE-552 — Files or Directories Accessible to External Parties

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2024-05-23. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2024-06-13.

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public proof-of-concept exploits

References

lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598b… (x_refsource_MISC)
[flink-user] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API (mailing-list, x_refsource_MLIST)
[announce] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API (mailing-list, x_refsource_MLIST)
[oss-security] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API (mailing-list, x_refsource_MLIST)
[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink (mailing-list, x_refsource_MLIST)
packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Di… (x_refsource_MISC)
[flink-issues] 20210110 [jira] [Updated] (FLINK-20916) Typo in test for CVE-2020-17519 (mailing-list, x_refsource_MLIST)
[flink-dev] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519 (mailing-list, x_refsource_MLIST)
[flink-issues] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519 (mailing-list, x_refsource_MLIST)
[flink-issues] 20210111 [jira] [Assigned] (FLINK-20916) Typo in test for CVE-2020-17519 (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2020-17519?: CVE-2020-17519 is a vulnerability in Apache Software Foundation Flink, classified under Files or Directories Accessible to External Parties. Published 2021-01-05.
Is CVE-2020-17519 known to be exploited?: Yes. CVE-2020-17519 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-05-23), indicating it is being actively exploited. 120 public proof-of-concept repositories are indexed.