CVE-2023-41834

CVE-2023-41834: Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences

Vendor Apache Software Foundation

Product Apache Flink Stateful Functions

Weakness CWE-113 · HTTP response splitting

Published September 19, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser. Users should upgrade to Apache Flink Stateful Functions version 3.3.0.

Key dates

Disclosure timeline

September 19, 2023 CVE published

February 13, 2025 Record updated