oss-sec mailing list archives

[CVE-2023-41834] Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences

From: Martijn Visser <martijnvisser () apache org>
Date: Tue, 19 Sep 2023 12:43:45 +0200

CVE-2023-41834: Apache Flink Stateful Functions allowed HTTP header
injection due to Improper Neutralization of CRLF Sequences

Severity: moderate

Vendor:
The Apache Software Foundation

Versions Affected:
Stateful Functions 3.1.0 to 3.2.0

Description:
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache
Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote
attackers to inject arbitrary HTTP headers and conduct HTTP response
splitting attacks via crafted HTTP requests. Attackers could
potentially inject malicious content into the HTTP response that is
sent to the user. This could include injecting a fake login form or
other phishing content, or injecting malicious JavaScript code that
can steal user credentials or perform other malicious actions on the
user's behalf.

Mitigation:
Users should upgrade to 3.3.0

Credit:
This issue was discovered by Andrea Cosentino from Apache Software Foundation

References:
https://flink.apache.org/security/

Current thread:

[CVE-2023-41834] Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences Martijn Visser (Sep 19)