The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday included a security flaw impacting Apache Flink, the open up-supply, unified stream-processing and batch-processing framework, to the Recognised Exploited Vulnerabilities (KEV) catalog, citing evidence of lively exploitation.
Tracked as CVE-2020-17519, the issue relates to a scenario of inappropriate accessibility manage that could make it possible for an attacker to go through any file on the nearby filesystem of the JobManager by its Relaxation interface.
This also implies that a distant unauthenticated attacker could send a specifically crafted directory traversal request that could permit unauthorized obtain to delicate information and facts.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The vulnerability, which impacts Flink versions 1.11., 1.11.1, and 1.11.2, was resolved in January 2021 in variations 1.11.3 or 1.12..
The exact nature of the attacks exploiting the flaw is presently not known, although Palo Alto Networks Unit 42 warned of in depth in-the-wild abuse among November 2020 and January 2021.
“Various freshly noticed exploits, which includes CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and have been constantly staying exploited in the wild as of late 2020 to early 2021,” security scientists Lei Xu, Yue Guan, and Vaibhav Singhal mentioned in April 2021.
In gentle of the energetic exploitation of CVE-2020-17519, federal companies are advisable to implement the latest fixes by June 13, 2024, to safeguard their networks from lively threats.
Observed this write-up attention-grabbing? Observe us on Twitter and LinkedIn to read extra unique written content we publish.
Some parts of this report are sourced from:
thehackernews.com