ID

VAR-202101-0146


CVE

CVE-2020-17519


TITLE

Apache Flink  Vulnerability in externally accessible files or directories in

Trust: 0.8

sources: JVNDB: JVNDB-2020-015211

DESCRIPTION

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. Apache Flink Contains vulnerabilities in externally accessible files or directories.Information may be obtained. Apache Flink is an efficient and distributed general data processing platform. Attackers can use this vulnerability to read sensitive files on the server, use hard-coded credentials to use the vulnerability to read and write HMI configuration files and reset the device

Trust: 2.25

sources: NVD: CVE-2020-17519 // JVNDB: JVNDB-2020-015211 // CNVD: CNVD-2021-02361 // VULMON: CVE-2020-17519

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-02361

AFFECTED PRODUCTS

vendor:apachemodel:flinkscope:lteversion:1.11.2

Trust: 1.0

vendor:apachemodel:flinkscope:gteversion:1.11.0

Trust: 1.0

vendor:apachemodel:flinkscope:eqversion:1.11.0

Trust: 0.8

vendor:apachemodel:flinkscope:eqversion:1.11.1

Trust: 0.8

vendor:apachemodel:flinkscope:eqversion: -

Trust: 0.8

vendor:apachemodel:flinkscope:eqversion:1.11.2

Trust: 0.8

vendor:apachemodel:flinkscope:gteversion:1.11.0,<=1.11.2

Trust: 0.6

sources: CNVD: CNVD-2021-02361 // JVNDB: JVNDB-2020-015211 // NVD: CVE-2020-17519

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-17519
value: HIGH

Trust: 1.8

CNVD: CNVD-2021-02361
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202101-271
value: HIGH

Trust: 0.6

VULMON: CVE-2020-17519
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-17519
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-02361
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

NVD: CVE-2020-17519
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-17519
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-02361 // VULMON: CVE-2020-17519 // JVNDB: JVNDB-2020-015211 // CNNVD: CNNVD-202101-271 // NVD: CVE-2020-17519

PROBLEMTYPE DATA

problemtype:CWE-552

Trust: 1.0

problemtype:Externally accessible file or directory (CWE-552) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-015211 // NVD: CVE-2020-17519

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-271

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202101-271

CONFIGURATIONS

sources: NVD: CVE-2020-17519

PATCH

title:[DISCUSS] Releasing Apache Flink 1.10.3url:https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3cissues.flink.apache.org%3e

Trust: 0.8

title:Patch for Apache Flink arbitrary file reading vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/243637

Trust: 0.6

title:Apache Flink Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=138918

Trust: 0.6

title:CVE-2020-17519url:https://github.com/murataydemir/cve-2020-17519

Trust: 0.1

title:CVE-2020-17519url:https://github.com/qmf0c3uk/cve-2020-17519

Trust: 0.1

title:westone-CVE-2020-17519-scannerurl:https://github.com/osyanina/westone-cve-2020-17519-scanner

Trust: 0.1

title:CVE-2020-17519url:https://github.com/givemefivw/cve-2020-17519

Trust: 0.1

sources: CNVD: CNVD-2021-02361 // VULMON: CVE-2020-17519 // JVNDB: JVNDB-2020-015211 // CNNVD: CNNVD-202101-271

EXTERNAL IDS

db:NVDid:CVE-2020-17519

Trust: 3.1

db:OPENWALLid:OSS-SECURITY/2021/01/05/2

Trust: 2.2

db:PACKETSTORMid:160849

Trust: 1.6

db:JVNDBid:JVNDB-2020-015211

Trust: 0.8

db:CNVDid:CNVD-2021-02361

Trust: 0.6

db:EXPLOIT-DBid:49398

Trust: 0.6

db:CNNVDid:CNNVD-202101-271

Trust: 0.6

db:VULMONid:CVE-2020-17519

Trust: 0.1

sources: CNVD: CNVD-2021-02361 // VULMON: CVE-2020-17519 // JVNDB: JVNDB-2020-015211 // CNNVD: CNNVD-202101-271 // NVD: CVE-2020-17519

REFERENCES

url:http://www.openwall.com/lists/oss-security/2021/01/05/2

Trust: 2.2

url:https://packetstormsecurity.com/files/160849/apache-flink-1.11.0-arbitrary-file-read-directory-traversal.html

Trust: 2.2

url:https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3cissues.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3cannounce.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d@%3cissues.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2@%3cdev.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3cdev.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cuser.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1@%3cissues.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3cuser-zh.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3cdev.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3cdev.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cdev.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398@%3cissues.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3cannounce.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3cissues.flink.apache.org%3e

Trust: 1.6

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cannounce.apache.org%3e

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-17519

Trust: 1.4

url:https://www.exploit-db.com/exploits/49398

Trust: 0.6

sources: CNVD: CNVD-2021-02361 // JVNDB: JVNDB-2020-015211 // CNNVD: CNNVD-202101-271 // NVD: CVE-2020-17519

CREDITS

SunCSR

Trust: 0.6

sources: CNNVD: CNNVD-202101-271

SOURCES

db:CNVDid:CNVD-2021-02361
db:VULMONid:CVE-2020-17519
db:JVNDBid:JVNDB-2020-015211
db:CNNVDid:CNNVD-202101-271
db:NVDid:CVE-2020-17519

LAST UPDATE DATE

2022-05-04T10:10:44.319000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-02361date:2021-01-13T00:00:00
db:VULMONid:CVE-2020-17519date:2021-03-17T00:00:00
db:JVNDBid:JVNDB-2020-015211date:2021-09-14T09:04:00
db:CNNVDid:CNNVD-202101-271date:2021-03-03T00:00:00
db:NVDid:CVE-2020-17519date:2021-03-17T16:40:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-02361date:2021-01-10T00:00:00
db:VULMONid:CVE-2020-17519date:2021-01-05T00:00:00
db:JVNDBid:JVNDB-2020-015211date:2021-09-14T00:00:00
db:CNNVDid:CNNVD-202101-271date:2021-01-05T00:00:00
db:NVDid:CVE-2020-17519date:2021-01-05T12:15:00