Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Apache Flink - Remote Code Execution" module is designed to detect an unauthenticated remote code execution vulnerability in Apache Flink, a distributed processing framework for big data. This vulnerability can be classified as CWE-77 and has a critical severity level with a CVSS score of 10. The module was authored by pikpikcu.
If successfully exploited, this vulnerability allows an attacker to execute arbitrary code on the target system. This can lead to unauthorized access, data theft, system compromise, and potential disruption of critical services.
The module sends a POST request to the "/jars/upload" endpoint of the Apache Flink server, attempting to upload a malicious JAR file. The request includes a multipart/form-data payload with a randomly generated alphanumeric filename. The module then applies several matching conditions to determine if the vulnerability is present:
- The response header must contain the word "application/json". - The response body must contain the words "success" and "_poc.jar". - The response status code must be 200.If all the matching conditions are met, the module reports the vulnerability.
For example, the module's HTTP request template looks like this:
POST /jars/upload HTTP/1.1
Host: <Hostname>
Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3
--8ce4b16b22b58894aa86c421e8759df3
Content-Disposition: form-data; name="jarfile";filename="poc.jar"
Content-Type:application/octet-stream
<randTextAlphanumeric(10)>
--8ce4b16b22b58894aa86c421e8759df3--
It is important to note that this module is specifically designed to detect the presence of the Apache Flink remote code execution vulnerability and does not attempt to exploit it.
For more information, you can refer to the following references:
- https://www.exploit-db.com/exploits/48978 - https://adamc95.m