Apache Flink directory traversal attack: remote file writing through the REST API
CVE-2020-17518

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Flink
Vendor
CVE Published:
5 January 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 95%

Summary

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

Affected Version(s)

Apache Flink Apache Flink 1.5.1 to 1.11.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-17518
Created by QmF0c3UK

CVE-2020-17518
Created by murataydemir

Flink-CVE-2020-17518-getshell
Created by rakjong

References

https://lists.apache.org/thread.html/rb43cd476419a48be89c...
x_refsource_MISC
https://lists.apache.org/thread.html/rb43cd476419a48be89c...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rb43cd476419a48be89c...
mailing-listx_refsource_MLIST

EPSS Score

95% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

0rich1 of Ant Security FG Lab
.