Date: Tue, 5 Jan 2021 12:19:59 +0100 From: Robert Metzger <rmetzger@...che.org> To: oss-security@...ts.openwall.com Subject: [CVE-2020-17518] Apache Flink directory traversal attack: remote file writing through the REST API CVE-2020-17518: Apache Flink directory traversal attack: remote file writing through the REST API Vendor: The Apache Software Foundation Versions Affected: 1.5.1 to 1.11.2 Description: Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. Mitigation: All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. Credits: This issue was discovered by 0rich1 of Ant Security FG Lab
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.