Information Exposure

Affecting org.apache.flink:flink-metrics-core artifact, versions [1.1.0, 1.9.3) || [1.10.0,1.10.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.apache.flink:flink-metrics-core is an open-source stream-processing framework developed by the Apache Software Foundation.

Affected versions of this package are vulnerable to Information Exposure. When running a process with an enabled JMXReporter, with a port configured via metrics.reporter.<reporter_name>.port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data.

Remediation

Upgrade org.apache.flink:flink-metrics-core to version 1.9.3, 1.10.1 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
Credit
Jonathan Gallimore, Colm O hEigeartaigh
CVE
CVE-2020-1960
CWE
CWE-200
Snyk ID
SNYK-JAVA-ORGAPACHEFLINK-569132
Disclosed
14 May, 2020
Published
14 May, 2020