SB2021010507 - Multiple vulnerabilities in Apache Flink
Published: January 5, 2021 Updated: June 22, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2020-17518)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences while uploading files via a REST handler. A remote user can send a specially crafted HTTP request with a modified HTTP header and upload files to an arbitrary location on the system.
2) Information disclosure (CVE-ID: CVE-2020-17519)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to application allows to read arbitrary files on the system of the JobManager through the REST interface of the JobManager process. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
Remediation
Install update from vendor's website.