CVE-2020-17519 Overview
A directory traversal vulnerability was introduced in Apache Flink version 1.11.0 (and persisted in 1.11.1 and 1.11.2) that allows remote attackers to read arbitrary files on the local filesystem of the JobManager through its REST interface. This vulnerability enables unauthenticated attackers to access any file readable by the JobManager process, potentially exposing sensitive configuration data, credentials, and other critical information.
Critical Impact
This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Organizations running exposed Apache Flink instances should treat remediation as an urgent priority.
Affected Products
- Apache Flink 1.11.0
- Apache Flink 1.11.1
- Apache Flink 1.11.2
Discovery Timeline
- 2021-01-05 - CVE-2020-17519 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2020-17519
Vulnerability Analysis
This vulnerability falls under CWE-552 (Files or Directories Accessible to External Parties), manifesting as a directory traversal flaw in the Apache Flink JobManager's REST API. The vulnerability was introduced as part of changes in the Flink 1.11.0 release that inadvertently allowed path traversal sequences to bypass file access restrictions.
The JobManager component in Apache Flink serves as the central coordination point for job execution and exposes a REST API for management operations. An attacker can craft malicious HTTP requests containing directory traversal sequences (such as ../) to escape the intended directory boundaries and access arbitrary files on the filesystem.
Root Cause
The root cause of this vulnerability lies in insufficient input validation of file path parameters within the JobManager REST interface. When processing requests for file resources, the application failed to properly sanitize user-supplied path components, allowing attackers to use relative path traversal sequences to navigate outside the intended directory structure.
The vulnerable code path accepted file path parameters directly from HTTP requests without adequately normalizing or validating the path against directory traversal attempts. This allowed requests containing encoded or plain ../ sequences to access files anywhere on the filesystem that the JobManager process has read permissions for.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-exposed Flink deployments. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the JobManager REST API endpoint.
The attack typically targets sensitive files such as /etc/passwd, application configuration files containing database credentials, API keys stored in environment configuration, or other sensitive data accessible to the Flink process user. Since the vulnerability requires no privileges and has low complexity, it presents a significant risk to any exposed Apache Flink instance running vulnerable versions.
Exploitation involves sending HTTP GET requests to the JobManager REST interface with crafted path parameters containing directory traversal sequences. The server responds with the contents of the requested file, effectively providing arbitrary file read capability to remote attackers.
Detection Methods for CVE-2020-17519
Indicators of Compromise
- HTTP requests to the Flink JobManager REST API containing path traversal sequences such as ../, ..%2f, or URL-encoded variants
- Unexpected file read operations by the Flink JobManager process targeting system files like /etc/passwd, /etc/shadow, or configuration files outside the Flink installation directory
- Access logs showing requests with unusually long paths or encoded characters in REST API file retrieval endpoints
- Outbound data transfers from the JobManager process that may indicate exfiltration of sensitive files
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing directory traversal patterns targeting Flink REST endpoints
- Monitor Flink JobManager access logs for anomalous file path requests, particularly those containing .. sequences or attempting to access system files
- Deploy network intrusion detection signatures that alert on HTTP requests matching known CVE-2020-17519 exploitation patterns
- Configure file integrity monitoring on sensitive system files to detect unexpected read access by the Flink process
Monitoring Recommendations
- Enable detailed access logging on the JobManager REST interface and forward logs to a centralized SIEM for analysis
- Set up alerts for any attempts to access files outside the standard Flink working directories
- Monitor the Flink process for unusual file system activity using endpoint detection and response (EDR) solutions
- Implement network segmentation monitoring to detect potential lateral movement following successful exploitation
How to Mitigate CVE-2020-17519
Immediate Actions Required
- Upgrade all Apache Flink installations to version 1.11.3 or 1.12.0 or later immediately
- If immediate patching is not possible, restrict network access to the JobManager REST interface using firewall rules or network segmentation
- Audit Flink JobManager access logs for signs of prior exploitation attempts
- Review and rotate any credentials or sensitive data that may have been accessible to the Flink process
- Ensure Flink instances are not directly exposed to the internet without appropriate access controls
Patch Information
Apache has addressed this vulnerability in Flink versions 1.11.3 and 1.12.0. The fix was implemented in commit b561010b0ee741543c3953306037f00d7a9f0801 on the apache/flink master branch. Organizations should upgrade to the patched versions immediately, as this vulnerability is actively exploited in the wild.
For additional information, refer to the Apache Flink Security Announcement and the CISA Known Exploited Vulnerabilities Catalog entry.
Workarounds
- Implement strict network access controls to limit JobManager REST API access to trusted internal networks only
- Deploy a reverse proxy with path filtering capabilities in front of the JobManager to block requests containing traversal sequences
- Run the Flink JobManager process with minimal filesystem permissions to limit the impact of successful exploitation
- Consider disabling the REST interface entirely if it is not required for operational purposes
# Example: Restrict JobManager REST API access using iptables
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 8081 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -j DROP
# Alternatively, bind JobManager REST interface to localhost only
# In flink-conf.yaml:
# rest.bind-address: 127.0.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
