Vulnerability in Apache Flink Due to JMX Reporter Configuration
CVE-2020-1960

4.7MEDIUM

Key Information:

Vendor
Apache
Status
Apache Flink
Vendor
CVE Published:
14 May 2020

Summary

A vulnerability in Apache Flink allows an attacker with local access to exploit a poorly configured JMXReporter. When JMX is enabled and a specific port is set up, the attacker can craft a request to redirect the JMXRMI registry to their own system, enabling them to intercept JMX connections. This exploitation grants the attacker access to sensitive data, including credentials and data transferred through the JMX interface.

Affected Version(s)

Apache Flink Apache Flink 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0

References

https://lists.apache.org/thread.html/r23e559dee1e69741557...
x_refsource_MISC
https://lists.apache.org/thread.html/r28f17e564950d663e68...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r663cf0d5c386bba2f56...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.