var-202101-0146
Vulnerability from variot
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. Apache Flink Exists in a vulnerability in externally accessible files or directories.Information may be obtained. Apache Flink is an efficient and distributed general data processing platform. Attackers can use this vulnerability to read sensitive files on the server, use hard-coded credentials to use the vulnerability to read and write HMI configuration files and reset the device
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202101-0146", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "flink", scope: "gte", trust: 1, vendor: "apache", version: "1.11.0", }, { model: "flink", scope: "lt", trust: 1, vendor: "apache", version: "1.11.3", }, { model: "flink", scope: "eq", trust: 0.8, vendor: "apache", version: "1.11.1", }, { model: "flink", scope: "eq", trust: 0.8, vendor: "apache", version: "1.11.0", }, { model: "flink", scope: "eq", trust: 0.8, vendor: "apache", version: "1.11.2", }, { model: "flink", scope: "eq", trust: 0.8, vendor: "apache", version: null, }, { model: "flink", scope: "gte", trust: 0.6, vendor: "apache", version: "1.11.0,<=1.11.2", }, ], sources: [ { db: "CNVD", id: "CNVD-2021-02361", }, { db: "JVNDB", id: "JVNDB-2020-015211", }, { db: "NVD", id: "CVE-2020-17519", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "1.11.2", versionStartIncluding: "1.11.0", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "NVD", id: "CVE-2020-17519", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "SunCSR", sources: [ { db: "CNNVD", id: "CNNVD-202101-271", }, ], trust: 0.6, }, cve: "CVE-2020-17519", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { acInsufInfo: false, accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "NVD", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, impactScore: 2.9, integrityImpact: "NONE", obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", trust: 1, userInteractionRequired: false, vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, { acInsufInfo: null, accessComplexity: "Low", accessVector: "Network", authentication: "None", author: "NVD", availabilityImpact: "None", baseScore: 5, confidentialityImpact: "Partial", exploitabilityScore: null, id: "CVE-2020-17519", impactScore: null, integrityImpact: "None", obtainAllPrivilege: null, obtainOtherPrivilege: null, obtainUserPrivilege: null, severity: "Medium", trust: 0.9, userInteractionRequired: null, vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CNVD-2021-02361", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.6, vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "NVD", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "None", baseScore: 7.5, baseSeverity: "High", confidentialityImpact: "High", exploitabilityScore: null, id: "CVE-2020-17519", impactScore: null, integrityImpact: "None", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, ], severity: [ { author: "NVD", id: "CVE-2020-17519", trust: 1.8, value: "HIGH", }, { author: "CNVD", id: "CNVD-2021-02361", trust: 0.6, value: "MEDIUM", }, { author: "CNNVD", id: "CNNVD-202101-271", trust: 0.6, value: "HIGH", }, { author: "VULMON", id: "CVE-2020-17519", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "CNVD", id: "CNVD-2021-02361", }, { db: "VULMON", id: "CVE-2020-17519", }, { db: "JVNDB", id: "JVNDB-2020-015211", }, { db: "CNNVD", id: "CNNVD-202101-271", }, { db: "NVD", id: "CVE-2020-17519", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. Apache Flink Exists in a vulnerability in externally accessible files or directories.Information may be obtained. Apache Flink is an efficient and distributed general data processing platform. Attackers can use this vulnerability to read sensitive files on the server, use hard-coded credentials to use the vulnerability to read and write HMI configuration files and reset the device", sources: [ { db: "NVD", id: "CVE-2020-17519", }, { db: "JVNDB", id: "JVNDB-2020-015211", }, { db: "CNVD", id: "CNVD-2021-02361", }, { db: "VULMON", id: "CVE-2020-17519", }, ], trust: 2.25, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2020-17519", trust: 3.9, }, { db: "OPENWALL", id: "OSS-SECURITY/2021/01/05/2", trust: 2.2, }, { db: "PACKETSTORM", id: "160849", trust: 1.6, }, { db: "JVNDB", id: "JVNDB-2020-015211", trust: 0.8, }, { db: "CNVD", id: "CNVD-2021-02361", trust: 0.6, }, { db: "EXPLOIT-DB", id: "49398", trust: 0.6, }, { db: "CNNVD", id: "CNNVD-202101-271", trust: 0.6, }, { db: "VULMON", id: "CVE-2020-17519", trust: 0.1, }, ], sources: [ { db: "CNVD", id: "CNVD-2021-02361", }, { db: "VULMON", id: "CVE-2020-17519", }, { db: "JVNDB", id: "JVNDB-2020-015211", }, { db: "CNNVD", id: "CNNVD-202101-271", }, { db: "NVD", id: "CVE-2020-17519", }, ], }, id: "VAR-202101-0146", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "CNVD", id: "CNVD-2021-02361", }, ], trust: 1.05833334, }, iot_taxonomy: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { category: [ "ICS", ], sub_category: null, trust: 0.6, }, ], sources: [ { db: "CNVD", id: "CNVD-2021-02361", }, ], }, last_update_date: "2024-06-10T23:02:24.713000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "[DISCUSS] Releasing Apache Flink 1.10.3", trust: 0.8, url: "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3cissues.flink.apache.org%3e", }, { title: "Patch for Apache Flink arbitrary file reading vulnerability", trust: 0.6, url: "https://www.cnvd.org.cn/patchinfo/show/243637", }, { title: "Apache Flink Security vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=138918", }, { title: "westone-CVE-2020-17519-scanner\nInstallation & Usage", trust: 0.1, url: "https://github.com/osyanina/westone-cve-2020-17519-scanner ", }, ], sources: [ { db: "CNVD", id: "CNVD-2021-02361", }, { db: "VULMON", id: "CVE-2020-17519", }, { db: "JVNDB", id: "JVNDB-2020-015211", }, { db: "CNNVD", id: "CNNVD-202101-271", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-552", trust: 1, }, { problemtype: "Externally accessible file or directory (CWE-552) [NVD evaluation ]", trust: 0.8, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-015211", }, { db: "NVD", id: "CVE-2020-17519", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.2, url: "http://www.openwall.com/lists/oss-security/2021/01/05/2", }, { trust: 2.2, url: "http://packetstormsecurity.com/files/160849/apache-flink-1.11.0-arbitrary-file-read-directory-traversal.html", }, { trust: 1.6, url: "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3cdev.flink.apache.org%3e", }, { trust: 1.4, url: "https://nvd.nist.gov/vuln/detail/cve-2020-17519", }, { trust: 1, url: "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3cannounce.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3cdev.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3cuser-zh.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2%40%3cdev.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3cannounce.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3cuser.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3cannounce.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3cdev.flink.apache.org%3e", }, { trust: 0.8, url: "https://cisa.gov/known-exploited-vulnerabilities-catalog", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3cissues.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3cannounce.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r88f427865fb6aa6e6378efe07632a1906b430365e15e3b9621aabe1d@%3cissues.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r4e1b72bfa789ea5bc20b8afe56119200ed25bdab0eb80d664fa5bfe2@%3cdev.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3cdev.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cuser.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r88b55f3ebf1f8f4e1cc61f030252aaef4b77060b56557a243abb92a1@%3cissues.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3cuser-zh.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3cdev.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cdev.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398@%3cissues.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3cannounce.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83@%3cissues.flink.apache.org%3e", }, { trust: 0.6, url: "https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3cannounce.apache.org%3e", }, { trust: 0.6, url: "https://www.exploit-db.com/exploits/49398", }, ], sources: [ { db: "CNVD", id: "CNVD-2021-02361", }, { db: "JVNDB", id: "JVNDB-2020-015211", }, { db: "CNNVD", id: "CNNVD-202101-271", }, { db: "NVD", id: "CVE-2020-17519", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "CNVD", id: "CNVD-2021-02361", }, { db: "VULMON", id: "CVE-2020-17519", }, { db: "JVNDB", id: "JVNDB-2020-015211", }, { db: "CNNVD", id: "CNNVD-202101-271", }, { db: "NVD", id: "CVE-2020-17519", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2021-01-10T00:00:00", db: "CNVD", id: "CNVD-2021-02361", }, { date: "2021-01-05T00:00:00", db: "VULMON", id: "CVE-2020-17519", }, { date: "2021-09-14T00:00:00", db: "JVNDB", id: "JVNDB-2020-015211", }, { date: "2021-01-05T00:00:00", db: "CNNVD", id: "CNNVD-202101-271", }, { date: "2021-01-05T12:15:12.680000", db: "NVD", id: "CVE-2020-17519", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2021-01-13T00:00:00", db: "CNVD", id: "CNVD-2021-02361", }, { date: "2023-11-07T00:00:00", db: "VULMON", id: "CVE-2020-17519", }, { date: "2024-05-31T06:54:00", db: "JVNDB", id: "JVNDB-2020-015211", }, { date: "2021-03-03T00:00:00", db: "CNNVD", id: "CNNVD-202101-271", }, { date: "2024-06-10T15:23:11.997000", db: "NVD", id: "CVE-2020-17519", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202101-271", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Apache Flink Vulnerability in externally accessible files or directories in", sources: [ { db: "JVNDB", id: "JVNDB-2020-015211", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "other", sources: [ { db: "CNNVD", id: "CNNVD-202101-271", }, ], trust: 0.6, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.