CVE-2020-17518

CVE-2020-17518: Apache Flink directory traversal attack: remote file writing through the REST API

Vendor Apache Software Foundation

Product Apache Flink

Weakness CWE-23

Published January 5, 2021

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

Key dates

02Disclosure timeline

January 5, 2021 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-17518

Related vulnerabilities

CVE-2020-17518: Apache Flink directory traversal attack: remote file writing through the REST API

01Description

02Disclosure timeline

03References

04Related CVE