CVE-2020-17519

unknown KEV

Published 2021-01-06 · Modified 2024-05-23

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H

CVSS v2

—

VIR risk

1.5

Description

Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface.

CISA KEV

Vendor: Apache
Product: Flink
Due date: 2024-06-13

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/typ0h03zyfrzjqlnb7plh64df1g2383d; https://nvd.nist.gov/vuln/detail/CVE-2020-17519

Exploits

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.flink:flink-runtime_2.11	`>=1.11.0,<1.11.3`	`1.11.3`
Maven	org.apache.flink:flink-runtime_2.12	`>=1.11.0,<1.11.3`	`1.11.3`

References

Verify integrity in audit chain (admin only). AS-IS.