CISA Adds Apache Flink CVE-2020-17519 Vulnerability to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has raised a critical alarm for users of the Apache Flink framework. A dangerous directory traversal vulnerability (CVE-2020-17519) has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling that cybercriminals are actively exploiting this flaw to compromise systems.

Apache Flink is a popular open-source platform for processing massive datasets. It’s used in a wide range of industries for real-time analytics, machine learning, and other data-intensive applications. Its ability to handle both bounded and unbounded data streams makes it a versatile tool for organizations seeking to extract insights from their information.

The vulnerability in question (CVE-2020-17519) is a directory traversal flaw that allows attackers to read arbitrary files on the local filesystem of the JobManager process. This means that sensitive data, configuration files, and other confidential information could be exposed to malicious actors.

Any organization using Apache Flink versions 1.11.0, 1.11.1, or 1.11.2 is at risk. The vulnerability is particularly concerning for Flink instances exposed to the internet or other untrusted networks.

Federal agencies are required to update to a patched version of the software – Apache Flink version 1.19.0 or later – by June 13, 2024, to secure their networks against active threats.