What is the severity of CVE-2020-17519?

CVE-2020-17519 has a medium severity rating as it allows attackers to read any file on the local filesystem of the JobManager.

How do I fix CVE-2020-17519?

To fix CVE-2020-17519, upgrade Apache Flink to version 1.11.3 or later.

What versions of Apache Flink are affected by CVE-2020-17519?

CVE-2020-17519 affects Apache Flink versions from 1.11.0 to 1.11.2.

What is the impact of CVE-2020-17519?

The impact of CVE-2020-17519 is that it allows unauthorized file access, leading to potential data leakage.

Is CVE-2020-17519 specific to any deployment environment?

CVE-2020-17519 is specific to deployments using the JobManager process of Apache Flink.

Vulnerability/
CVE-2020-17519

Exploited

critical

9.1

CWE

552 22

5/1/2021

6/1/2021

13/2/2025

CVE-2020-17519: Apache Flink directory traversal attack: reading remote files through the REST API

First published: Tue Jan 05 2021(Updated: )

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache Flink	>=1.11.0<=1.11.2
maven/org.apache.flink:flink-runtime_2.12	>=1.11.0<1.11.3	1.11.3
Apache Flink
Apache Flink	>=1.11.0<1.11.3
	>=1.11.0<1.11.3

Remedy

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2020-17519?
CVE-2020-17519 has a medium severity rating as it allows attackers to read any file on the local filesystem of the JobManager.
How do I fix CVE-2020-17519?
To fix CVE-2020-17519, upgrade Apache Flink to version 1.11.3 or later.
What versions of Apache Flink are affected by CVE-2020-17519?
CVE-2020-17519 affects Apache Flink versions from 1.11.0 to 1.11.2.
What is the impact of CVE-2020-17519?
The impact of CVE-2020-17519 is that it allows unauthorized file access, leading to potential data leakage.
Is CVE-2020-17519 specific to any deployment environment?
CVE-2020-17519 is specific to deployments using the JobManager process of Apache Flink.

collector/nvd-index
agent/type
agent/remedy
agent/description
agent/author
collector/the-register
source/The Register
alias/CVE-2020-17519
collector/github-advisory-latest
source/GitHub
alias/GHSA-395w-qhqr-9fr6
agent/software-canonical-lookup
agent/weakness
collector/github-advisory
agent/first-publish-date
agent/severity
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
exploited/true
collector/cisa-known-exploited
source/CISA
agent/references
agent/softwarecombine
agent/event
agent/title
collector/nvd-cve
agent/last-modified-date
agent/tags
agent/trending
agent/source
vendor/apache
canonical/apache flink
version/apache flink/1.11.0
version/apache flink/1.11.2
package-manager/maven