A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process.
Apache addressed the issue with versions 1.11.3 and 1.12.0. Shortly after, security researchers published exploit code. Federal agencies and other organizations are urged to update.
Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2020-17519 in the Known Exploited Vulnerabilities catalog. The bug's exploit status remains 'unknown' regarding purposes or perpetrators.
Collection
[
|
...
]