CISA Warns of Actively Exploited Apache Flink Safety Vulnerability

Might 23, 2024NewsroomMenace Intelligence / Vulnerability,

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a safety flaw impacting Apache Flink, the open-source, unified stream-processing and batch-processing framework, to the Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.

Tracked as CVE-2020-17519, the difficulty pertains to a case of improper entry management that would enable an attacker to learn any file on the native filesystem of the JobManager by its REST interface.

This additionally signifies that a distant unauthenticated attacker might ship a specifically crafted listing traversal request that would allow unauthorized entry to delicate info.

The vulnerability, which impacts Flink variations 1.11.0, 1.11.1, and 1.11.2, was addressed in January 2021 in variations 1.11.3 or 1.12.0.

Cybersecurity

The precise nature of the assaults exploiting the flaw is presently unknown, though Palo Alto Networks Unit 42 warned of intensive in-the-wild abuse between November 2020 and January 2021.

“A number of newly noticed exploits, together with CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021,” safety researchers Lei Xu, Yue Guan, and Vaibhav Singhal famous in April 2021.

In gentle of the energetic exploitation of CVE-2020-17519, federal businesses are really helpful to use the most recent fixes by June 13, 2024, to safeguard their networks towards energetic threats.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Recent articles

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

Dec 18, 2024Ravie LakshmananCyber Assault / Vulnerability Risk actors are...

Meta Fined €251 Million for 2018 Knowledge Breach Impacting 29 Million Accounts

Dec 18, 2024Ravie LakshmananKnowledge Breach / Privateness Meta Platforms, the...