Apache Flink Improper Access Control Vulnerability

Technical Severity

CVSS v3.1 Metrics

CRITICAL

9.1 / 10

Minimal Risk Critical

Vector Specification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Exploitation Likelihood

EPSS Prediction

94.38 %

Predictive Probability

Percentile Rank

100.0 th

Documented as more likely to be exploited than 100.0% of known CVEs.

Detection Date

May 23, 2024

Remediation Due

Jun 13, 2024

CISA Catalog Active

Threat Analysis

Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface.

Remediation Directive

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Asset Context

Vendor Identity

Apache

Affected Product

Flink

Ransomware Status

Campaign Use Unknown

Weakness Classification

CWE-552

External Intelligence

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see:

https://lists.apache.org/thread/typ0h03zyfrzjqlnb7plh64df1g2383d

NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2020-17519