CVE-2020-17519

CVE-2020-17519: Apache Flink directory traversal attack: reading remote files through the REST API

Vendor Apache Software Foundation

Product Apache Flink

Weakness CWE-552 · Files accessible externally

KEV Status Known Exploited

Published January 5, 2021

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

January 5, 2021 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-17519 CISA KEV Reference https://lists.apache.org/thread/typ0h03zyfrzjqlnb7plh64df1g2383d CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2020-17519

Related vulnerabilities

CVE-2020-17519: Apache Flink directory traversal attack: reading remote files through the REST API

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE