Apache Flink Directory Traversal Vulnerability (CVE-2020-17518 and CVE-2020-17519)
Jan 06, 2021 GMT+08:00
Apache Flink has released a security notice, disclosing the directory traversal vulnerabilities (CVE-2020-17518 and CVE-2020-17519) in some versions. Attackers can exploit these vulnerabilities to read and write any file through REST APIs. Apache Flink is a distributed, open-source computing framework for data stream and batch data processing. If you are an Apache Flink user, check your system and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
CVE-2020-17518: Flink 1.5.1–1.11.2
CVE-2020-17519: Flink 1.11.0, 1.11.1, 1.11.2
Flink 1.11.3 or 1.12.0
IV. Vulnerability Handling
These vulnerabilities have been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.