CyberSec.Space Logo
Back to CVE Browser

CVE-2020-17519

Known Exploited (CISA KEV)HIGH
7.5
CVSS Severity Score
EPSS Score51.4900%
EPSS Percentile88.57th
PublishedJan 5, 2021
Last ModifiedOct 27, 2025

Vulnerability Description

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

Affected Platforms (CPE)

πŸ“¦
Apache

Flink

>= 1.11.0 and < 1.11.3

References & Advisories

πŸ”— http://packetstormsecurity.com/files/160849/Apache-Flink-1.11.0-Arbitrary-File-Read-Directory-Traversal.html
πŸ”— http://www.openwall.com/lists/oss-security/2021/01/05/2
πŸ”— https://lists.apache.org/thread.html/r0a433be10676f4fe97ca423d08f914e0ead341c901216f292d2bbe83%40%3Cissues.flink.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1%40%3Cdev.flink.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r2fc60b30557e4a537c2a6293023049bd1c49fd92b518309aa85a0398%40%3Cissues.flink.apache.org%3E

Related Vulnerabilities

CVE-2020-175187.5

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file ...

CVE-2020-19604.7

A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1...

CVE-2026-121917.8

A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdri...

CVE-2026-121905.3

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the compo...