CVE-2020-17518

HIGH EXPLOITED NUCLEI

Apache Flink <1.11.3-1.12.0 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-17518 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including QmF0c3UK, murataydemir, rakjong. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2020-17518, a directory traversal vulnerability in Apache Flink's REST API, allowing arbitrary file write via malicious HTTP headers. The script checks for vulnerability by attempting to write a test file to a traversed path.

Description

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

Exploits (3)

nomisec WORKING POC 7 stars
by QmF0c3UK · remote
https://github.com/QmF0c3UK/CVE-2020-17518

This PoC exploits CVE-2020-17518, a directory traversal vulnerability in Apache Flink's REST API, allowing arbitrary file write via malicious HTTP headers. The script checks for vulnerability by attempting to write a test file to a traversed path.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Apache Flink 1.5.1-1.11.2
No auth needed
Prerequisites: Network access to the Flink REST API
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by murataydemir · remote
https://github.com/murataydemir/CVE-2020-17518

This repository contains a valid proof-of-concept for CVE-2020-17518, an arbitrary file upload vulnerability in Apache Flink via directory traversal. The PoC demonstrates how an attacker can upload files to arbitrary directories on the local filesystem by crafting HTTP requests with malicious filenames.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Apache Flink versions before 1.11.3
No auth needed
Prerequisites: Network access to the Apache Flink RESTful API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by rakjong · remote
https://github.com/rakjong/Flink-CVE-2020-17518-getshell

This PoC exploits CVE-2020-17518 in Apache Flink by uploading a malicious JAR file to achieve remote code execution. It leverages a directory traversal vulnerability to place the JAR in a predictable location and provides a command execution endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Flink (versions affected by CVE-2020-17518)
No auth needed
Prerequisites: Network access to the Flink JobManager interface · Flink JobManager exposed on a reachable port (typically 8081)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Flink 1.5.1 - Local File Inclusion
HIGHby pdteam

References (24)

Core 24
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/01/05/1

Scores

CVSS v3 7.5
EPSS 0.5233
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

VulnCheck KEV 2023-11-25
CWE
CWE-22 CWE-23
Status published
Products (2)
apache/flink 1.5.1 - 1.11.3
org.apache.flink/flink-runtime 1.5.1 - 1.11.3Maven
Published Jan 05, 2021
Tracked Since Feb 18, 2026