CVE-2020-1960
Description
Apache Flink JMXReporter vulnerability allows local attackers to perform MITM and steal credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Flink JMXReporter vulnerability allows local attackers to perform MITM and steal credentials.
Vulnerability
Overview
CVE-2020-1960 is a vulnerability in Apache Flink (versions 1.1.0 through 1.10.0) that affects the JMXReporter component. When a Flink process is running with an enabled JMXReporter and a specific port configured via metrics.reporter..port, an attacker with local access to the machine can exploit the JMX port. The vulnerability allows the attacker to perform a man-in-the-middle (MITM) attack by sending a specially crafted request to rebind the JMXRMI registry to an attacker-controlled registry [1].
Exploitation
The attack requires local access to the machine running Flink and access to the JMX port. No authentication is needed for the initial bind operation. The attacker can intercept and modify the communication between legitimate JMX clients and the Flink process, effectively hijacking the RMI registry [1].
Impact
Successful exploitation compromises any connection established to the Flink process via JMX. The attacker can extract credentials and any other data transferred over JMX, leading to potential credential theft and data exfiltration [1].
Mitigation
Apache has released patched versions (1.11.0 and later) that fix this vulnerability. Users are advised to upgrade to a non-affected version or disable the JMXReporter if not needed. No workaround is available for the vulnerable configuration [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.flink:flink-coreMaven | < 1.9.3 | 1.9.3 |
org.apache.flink:flink-coreMaven | >= 1.10.0, < 1.10.1 | 1.10.1 |
Affected products
3- Apache/Flinkdescription
- osv-coords2 versions
>= 1.1.0, < 1.1.6+ 1 more
- (no CPE)range: >= 1.1.0, < 1.1.6
- (no CPE)range: < 1.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-6g88-99wj-8mggghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1960ghsaADVISORY
- lists.apache.org/thread.html/r23e559dee1e69741557b5fe431846de1f1a5981356d0ddb9482df88a%40%3Cdev.flink.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d%40%3Cuser-zh.flink.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034%40%3Cissues.flink.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r663cf0d5c386bba2f562d45ad484d786151a84f0b95e45e2b0fb8e50%40%3Cissues.flink.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r663cf0d5c386bba2f562d45ad484d786151a84f0b95e45e2b0fb8e50@%3Cissues.flink.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.