VYPR
High severityCISA KEVNVD Advisory· Published Jan 5, 2021· Updated Oct 21, 2025

Apache Flink directory traversal attack: reading remote files through the REST API

CVE-2020-17519

Description

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.flink:flink-runtime_2.11Maven
>= 1.11.0, < 1.11.31.11.3
org.apache.flink:flink-runtime_2.12Maven
>= 1.11.0, < 1.11.31.11.3

Affected products

4

Patches

Vulnerability mechanics

References

33

News mentions

0

No linked articles in our index yet.