Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences
CVE-2023-41834

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Flink Stateful Functions
Vendor: CVE Published:; 19 September 2023

Summary

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser.

Users should upgrade to Apache Flink Stateful Functions version 3.3.0.

Affected Version(s)

Apache Flink Stateful Functions 3.1.0 <= 3.2.0

References

https://lists.apache.org/thread/cvxcsdyjqc3lysj1tz7s06zwm...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/19/3

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 19, 2023
Vulnerability Reserved
Sep 1, 2023

Credit

Andrea Cosentino