Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CNVD-2021-07119
Vulnerability from cnvd - Published: 2021-01-28
VLAI Severity ?
Title
Apache Flink任意文件写入漏洞
Description
Apache Flink 是高效和分布式的通用数据处理平台。
Apache Flink产品存在任意文件写入漏洞,攻击者可以利用该漏洞读取服务器的敏感文件,借助硬编码凭证利用该漏洞对HMI配置文件进行读写操作并重置设备。
Severity
中
Patch Name
Apache Flink任意文件写入漏洞的补丁
Patch Description
Apache Flink 是高效和分布式的通用数据处理平台。
Apache Flink产品存在任意文件写入漏洞,攻击者可以利用该漏洞读取服务器的敏感文件,借助硬编码凭证利用该漏洞对HMI配置文件进行读写操作并重置设备。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁已修复漏洞,补丁获取链接: https://flink.apache.org/
Reference
http://www.openwall.com/lists/oss-security/2021/01/05/1
Impacted products
| Name | Apache Flink |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2020-17518",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-17518"
}
},
"description": "Apache Flink \u662f\u9ad8\u6548\u548c\u5206\u5e03\u5f0f\u7684\u901a\u7528\u6570\u636e\u5904\u7406\u5e73\u53f0\u3002\n\nApache Flink\u4ea7\u54c1\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u5199\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u670d\u52a1\u5668\u7684\u654f\u611f\u6587\u4ef6\uff0c\u501f\u52a9\u786c\u7f16\u7801\u51ed\u8bc1\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9HMI\u914d\u7f6e\u6587\u4ef6\u8fdb\u884c\u8bfb\u5199\u64cd\u4f5c\u5e76\u91cd\u7f6e\u8bbe\u5907\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u5df2\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://flink.apache.org/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-07119",
"openTime": "2021-01-28",
"patchDescription": "Apache Flink \u662f\u9ad8\u6548\u548c\u5206\u5e03\u5f0f\u7684\u901a\u7528\u6570\u636e\u5904\u7406\u5e73\u53f0\u3002\r\n\r\nApache Flink\u4ea7\u54c1\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u5199\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u670d\u52a1\u5668\u7684\u654f\u611f\u6587\u4ef6\uff0c\u501f\u52a9\u786c\u7f16\u7801\u51ed\u8bc1\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9HMI\u914d\u7f6e\u6587\u4ef6\u8fdb\u884c\u8bfb\u5199\u64cd\u4f5c\u5e76\u91cd\u7f6e\u8bbe\u5907\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apache Flink\u4efb\u610f\u6587\u4ef6\u5199\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Apache Flink"
},
"referenceLink": "http://www.openwall.com/lists/oss-security/2021/01/05/1",
"serverity": "\u4e2d",
"submitTime": "2021-01-06",
"title": "Apache Flink\u4efb\u610f\u6587\u4ef6\u5199\u5165\u6f0f\u6d1e"
}
CVE-2020-17518 (GCVE-0-2020-17518)
Vulnerability from cvelistv5 – Published: 2021-01-05 11:40 – Updated: 2025-02-13 16:27
VLAI?
EPSS
Summary
Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.
Severity ?
No CVSS data available.
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Flink |
Affected:
Apache Flink 1.5.1 to 1.11.2
|
Credits
0rich1 of Ant Security FG Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E"
},
{
"name": "[announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"
},
{
"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"
},
{
"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Flink",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Flink 1.5.1 to 1.11.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "0rich1 of Ant Security FG Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T14:01:40.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E"
},
{
"name": "[announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"
},
{
"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"
},
{
"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Flink directory traversal attack: remote file writing through the REST API",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17518",
"STATE": "PUBLIC",
"TITLE": "Apache Flink directory traversal attack: remote file writing through the REST API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Flink",
"version": {
"version_data": [
{
"version_name": "Apache Flink",
"version_value": "1.5.1 to 1.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "0rich1 of Ant Security FG Lab"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23 Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-user] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E"
},
{
"name": "[announce] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210105 [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"
},
{
"name": "[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3@%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210106 [jira] [Created] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210107 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210112 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Reopened] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Closed] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Comment Edited] (FLINK-20875) Could patch CVE-2020-17518 to version 1.10",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Updated] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210114 [jira] [Commented] (FLINK-20875) [CVE-2020-17518] Directory traversal attack: remote file writing through the REST API",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210121 Re: [VOTE] Release 1.10.3, release candidate #1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa@%3Cdev.flink.apache.org%3E"
},
{
"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"
},
{
"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17518",
"datePublished": "2021-01-05T11:40:13.000Z",
"dateReserved": "2020-08-12T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:34.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…