CVE-2020-1960 — Injection in Apache Flink

CWE-74 — Injection CWE-20 — Improper Input Validation9 documents8 sources

Severity

4.7MEDIUMNVD

EPSS

0.1%

top 74.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Flink Apache Software Foundation Apache Flink

Timeline

PublishedMay 14

Latest updateMay 21

Description

A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0) where, when running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name>.port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's co…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/flink1.1.0 — 1.1.5+9

▶CVEListV5apache_software_foundation/apache_flinkApache Flink 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0

Patches

Patch: lists.apache.org ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

OSV

Command injection in Apache Flink↗2021-05-21

▶

GHSA

Command injection in Apache Flink↗2021-05-21

▶

CVEList

CVE-2020-1960: A vulnerability in Apache Flink (1↗2020-05-14

▶

📋Vendor Advisories

Red Hat

apache-flink: JMX information disclosure vulnerability↗2020-05-13

▶

Apache

Apache flink: CVE-2020-1960↗

▶

💬Community

Bugzilla

CVE-2020-2231 jenkins: stored XSS vulnerability in 'trigger builds remotely'↗2020-09-03

▶

Bugzilla

CVE-2020-1960 apache-flink: JMX information disclosure vulnerability↗2020-06-17

▶