CVE-2023-41834
N/A
N/A
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser.
Users should upgrade to Apache Flink Stateful Functions version 3.3.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Flink Stateful Functions | 3.1.0 <= 3.2.0 | affected |
Weaknesses
- CWE-113: CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
- CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread/cvxcsdyjqc3lysj1tz7s06zwm36zvwrm
- http://www.openwall.com/lists/oss-security/2023/09/19/3
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://lists.apache.org/thread/cvxcsdyjqc3lysj1tz7s06zwm36zvwrm
- http://www.openwall.com/lists/oss-security/2023/09/19/3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.