CVE-2023-41834

Summary

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser.

Users should upgrade to Apache Flink Stateful Functions version 3.3.0.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Flink Stateful Functions3.1.0 <= 3.2.0affected

Weaknesses

  • CWE-113: CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
  • CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References