Home > Vulnerability Database > CVE-2020-17518

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2020-17518

Good to know:

Date: January 5, 2021

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

Language: Java

Severity Score

5.3

Related Resources (50)

Url: https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f%40%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36%40%3Cissues.flink.apache.org%3E

Url: http://www.openwall.com/lists/oss-security/2021/01/05/1

Url: https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d%40%3Cissues.flink.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-17518

Url: https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3%40%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3@%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc@%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b%40%3Cissues.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa%40%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cuser.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7%40%3Cissues.flink.apache.org%3E

Url: https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4

Url: https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E

Url: https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa@%3Cdev.flink.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2020-17518

Severity Score

5.3

Weakness Type (CWE)

Path Traversal

CWE-22

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version release-1.11.3-rc1;release-1.12.0-rc2

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Do you need more information?

Contact Us