ID

VAR-202101-0146


CVE

CVE-2020-17519


TITLE

Apache Flink  Vulnerability in externally accessible files or directories in

Trust: 0.8

sources: JVNDB: JVNDB-2020-015211

DESCRIPTION

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. Apache Flink Contains vulnerabilities in externally accessible files or directories.Information may be obtained. Apache Flink is an efficient and distributed general data processing platform. Attackers can use this vulnerability to read sensitive files on the server, use hard-coded credentials to use the vulnerability to read and write HMI configuration files and reset the device

Trust: 2.25

sources: NVD: CVE-2020-17519 // JVNDB: JVNDB-2020-015211 // CNVD: CNVD-2021-02361 // VULMON: CVE-2020-17519

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-02361

AFFECTED PRODUCTS

vendor:apachemodel:flinkscope:gteversion:1.11.0

Trust: 1.0

vendor:apachemodel:flinkscope:lteversion:1.11.2

Trust: 1.0

vendor:apachemodel:flinkscope:eqversion:1.11.0

Trust: 0.8

vendor:apachemodel:flinkscope:eqversion:1.11.1

Trust: 0.8

vendor:apachemodel:flinkscope:eqversion: -

Trust: 0.8

vendor:apachemodel:flinkscope:eqversion:1.11.2

Trust: 0.8

vendor:apachemodel:flinkscope:gteversion:1.11.0,<=1.11.2

Trust: 0.6

sources: CNVD: CNVD-2021-02361 // JVNDB: JVNDB-2020-015211 // NVD: CVE-2020-17519

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-17519
value: HIGH

Trust: 1.8

CNVD: CNVD-2021-02361
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202101-271
value: HIGH

Trust: 0.6

VULMON: CVE-2020-17519
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2020-17519
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.9

CNVD: CNVD-2021-02361
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

NVD:
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-17519
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-02361 // VULMON: CVE-2020-17519 // JVNDB: JVNDB-2020-015211 // NVD: CVE-2020-17519 // CNNVD: CNNVD-202101-271

PROBLEMTYPE DATA

problemtype:CWE-552

Trust: 1.0

problemtype:Externally accessible file or directory (CWE-552) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-015211 // NVD: CVE-2020-17519

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-271

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202101-271

CONFIGURATIONS

sources: NVD: CVE-2020-17519

PATCH

title:[DISCUSS] Releasing Apache Flink 1.10.3url:https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3cissues.flink.apache.org%3e

Trust: 0.8

title:Patch for Apache Flink arbitrary file reading vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/243637

Trust: 0.6

title:Apache Flink Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=138918

Trust: 0.6

title:westone-CVE-2020-17519-scanner Installation & Usageurl:https://github.com/osyanina/westone-cve-2020-17519-scanner

Trust: 0.1

sources: CNVD: CNVD-2021-02361 // VULMON: CVE-2020-17519 // JVNDB: JVNDB-2020-015211 // CNNVD: CNNVD-202101-271

EXTERNAL IDS

db:NVDid:CVE-2020-17519

Trust: 3.1

db:OPENWALLid:OSS-SECURITY/2021/01/05/2

Trust: 2.2

db:PACKETSTORMid:160849

Trust: 1.6

db:JVNDBid:JVNDB-2020-015211

Trust: 0.8

db:CNVDid:CNVD-2021-02361

Trust: 0.6

db:EXPLOIT-DBid:49398

Trust: 0.6

db:CNNVDid:CNNVD-202101-271

Trust: 0.6

db:VULMONid:CVE-2020-17519

Trust: 0.1

sources: CNVD: CNVD-2021-02361 // VULMON: CVE-2020-17519 // JVNDB: JVNDB-2020-015211 // NVD: CVE-2020-17519 // CNNVD: CNNVD-202101-271

REFERENCES

url:http://www.openwall.com/lists/oss-security/2021/01/05/2

Trust: 2.2

url:http://packetstormsecurity.com/files/160849/apache-flink-1.11.0-arbitrary-file-read-directory-traversal.html

Trust: 2.2

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3cdev.flink.apache.org%3e

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-17519

Trust: 1.4

url:https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3cannounce.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3cdev.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3cuser-zh.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3cdev.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3cannounce.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3cuser.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3cannounce.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3cdev.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3cissues.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3cannounce.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d@%3cissues.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2@%3cdev.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3cdev.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cuser.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1@%3cissues.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3cuser-zh.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3cdev.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cdev.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398@%3cissues.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3cannounce.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3cissues.flink.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cannounce.apache.org%3e

Trust: 0.6

url:https://www.exploit-db.com/exploits/49398

Trust: 0.6

sources: CNVD: CNVD-2021-02361 // JVNDB: JVNDB-2020-015211 // NVD: CVE-2020-17519 // CNNVD: CNNVD-202101-271

CREDITS

SunCSR

Trust: 0.6

sources: CNNVD: CNNVD-202101-271

SOURCES

db:CNVDid:CNVD-2021-02361
db:VULMONid:CVE-2020-17519
db:JVNDBid:JVNDB-2020-015211
db:NVDid:CVE-2020-17519
db:CNNVDid:CNNVD-202101-271

LAST UPDATE DATE

2024-01-03T13:38:54.185000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-02361date:2021-01-13T00:00:00
db:VULMONid:CVE-2020-17519date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2020-015211date:2021-09-14T09:04:00
db:NVDid:CVE-2020-17519date:2023-11-07T03:19:12.707
db:CNNVDid:CNNVD-202101-271date:2021-03-03T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-02361date:2021-01-10T00:00:00
db:VULMONid:CVE-2020-17519date:2021-01-05T00:00:00
db:JVNDBid:JVNDB-2020-015211date:2021-09-14T00:00:00
db:NVDid:CVE-2020-17519date:2021-01-05T12:15:12.680
db:CNNVDid:CNNVD-202101-271date:2021-01-05T00:00:00