BIT-flink-2020-1960

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/flink/BIT-flink-2020-1960.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-flink-2020-1960

Aliases

Published

2024-03-06T10:51:46.472Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0) where, when running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name>.port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data.

Database specific

{
    "cpes": [
        "cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:flink:1.10.0:-:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / flink

Package

Name: flink
Purl: pkg:bitnami/flink

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.1.0

Fixed

1.1.5

Introduced

1.2.0

Fixed

1.2.1

Introduced

1.3.0

Fixed

1.3.3

Introduced

1.4.0

Fixed

1.4.2

Introduced

1.5.0

Fixed

1.5.6

Introduced

1.6.0

Fixed

1.6.4

Introduced

1.7.0

Fixed

1.7.2

Introduced

1.8.0

Fixed

1.8.3

Introduced

1.9.0

Fixed

1.9.2

Type: SEMVER
Events: Introduced

1.10.0

Last affected

1.10.0