Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences
CVE-2023-41834

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Flink Stateful Functions
Vendor: CVE Published:; 19 September 2023

What is CVE-2023-41834?

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser.

Users should upgrade to Apache Flink Stateful Functions version 3.3.0.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Flink Stateful Functions 3.1.0 <= 3.2.0

References

https://lists.apache.org/thread/cvxcsdyjqc3lysj1tz7s06zwm...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/19/3

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 19, 2023
Vulnerability Reserved
Sep 1, 2023

Credit

Andrea Cosentino

JSON

Apache