oss-sec mailing list archives
[CVE-2023-41834] Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences
From: Martijn Visser <martijnvisser () apache org>
Date: Tue, 19 Sep 2023 12:43:45 +0200
CVE-2023-41834: Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences Severity: moderate Vendor: The Apache Software Foundation Versions Affected: Stateful Functions 3.1.0 to 3.2.0 Description: Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user. This could include injecting a fake login form or other phishing content, or injecting malicious JavaScript code that can steal user credentials or perform other malicious actions on the user's behalf. Mitigation: Users should upgrade to 3.3.0 Credit: This issue was discovered by Andrea Cosentino from Apache Software Foundation References: https://flink.apache.org/security/
Current thread:
- [CVE-2023-41834] Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences Martijn Visser (Sep 19)