QwikSec

Security Database

CVE

CWE

Training

CVE-2020-17519

Published: Jan 5, 2021

Modified: Oct 21, 2025

PUBLISHED

Description

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

Vendor	Product	Versions
Apache Software Foundation	Apache Flink	affected `Apache Flink 1.11.0 to 1.11.2`

Weaknesses (CWE)

References

https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E

x_refsource_MISC

[flink-user] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API

mailing-list

x_refsource_MLIST

[flink-dev] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API

mailing-list

x_refsource_MLIST

[announce] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API

mailing-list

x_refsource_MLIST

[oss-security] 20210105 [CVE-2020-17519] Apache Flink directory traversal attack: reading remote files through the REST API

mailing-list

x_refsource_MLIST

[flink-issues] 20210106 [GitHub] [flink-web] zentol commented on a change in pull request #408: Add security page for Flink

mailing-list

x_refsource_MLIST

http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html

x_refsource_MISC

[flink-issues] 20210110 [jira] [Updated] (FLINK-20916) Typo in test for CVE-2020-17519

mailing-list

x_refsource_MLIST

[flink-dev] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519

mailing-list

x_refsource_MLIST

[flink-issues] 20210110 [jira] [Created] (FLINK-20916) Typo in test for CVE-2020-17519

mailing-list

x_refsource_MLIST

[flink-issues] 20210111 [jira] [Assigned] (FLINK-20916) Typo in test for CVE-2020-17519

mailing-list

x_refsource_MLIST

[flink-issues] 20210111 [jira] [Commented] (FLINK-20916) Typo in test for CVE-2020-17519

mailing-list

x_refsource_MLIST

[flink-dev] 20210113 Re: [DISCUSS] Releasing Apache Flink 1.10.3

mailing-list

x_refsource_MLIST

[flink-dev] 20210115 Re: [DISCUSS] Releasing Apache Flink 1.10.3

mailing-list

x_refsource_MLIST

[announce] 20210125 Apache Software Foundation Security Report: 2020

mailing-list

x_refsource_MLIST

[announce] 20210223 Re: Apache Software Foundation Security Report: 2020

mailing-list

x_refsource_MLIST

https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.