Apache Flink is a processing engine that distributes a framework for state calculations across unbounded and bounded data streams developed using Java and Scala. A REST handler introduced in Apache Flink 1.5.1 is vulnerable to unrestricted file upload via directory Travels. Directory traversal is a form of HTTP attack that allows attackers to gain access to password-protected directories. It also runs commands outside of the root directory of the webserver. The access to files is not limited by system operational access control. This vulnerability allows attackers to upload files to the directories in the local filesystem through crafted HTTP requests.
Mitigation / Precaution
We suggest you update Apache Flink to a version greater than 1.11.3 in order to fix this vulnerability.
