Service Notices

All Notices > Security Notices > Apache Flink Directory Traversal Vulnerability (CVE-2020-17518 and CVE-2020-17519)

Apache Flink Directory Traversal Vulnerability (CVE-2020-17518 and CVE-2020-17519)

Jan 06, 2021 GMT+08:00

I. Overview

Apache Flink has released a security notice, disclosing the directory traversal vulnerabilities (CVE-2020-17518 and CVE-2020-17519) in some versions. Attackers can exploit these vulnerabilities to read and write any file through REST APIs. Apache Flink is a distributed, open-source computing framework for data stream and batch data processing. If you are an Apache Flink user, check your system and implement timely security hardening.


II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

CVE-2020-17518: Flink 1.5.1–1.11.2

CVE-2020-17519: Flink 1.11.0, 1.11.1, 1.11.2

Secure versions:

Flink 1.11.3 or 1.12.0

IV. Vulnerability Handling

These vulnerabilities have been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.