CVE-2020-17518: Apache Flink directory traversal attack: remote file writing through the REST API
Vendor: The Apache Software Foundation Versions Affected: 1.5.1 to 1.11.2 Description: Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. Mitigation: All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. Credits: This issue was discovered by 0rich1 of Ant Security FG Lab
