CVE-2023-41834: Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences
Severity: moderate Vendor: The Apache Software Foundation Versions Affected: Stateful Functions 3.1.0 to 3.2.0 Description: Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user. This could include injecting a fake login form or other phishing content, or injecting malicious JavaScript code that can steal user credentials or perform other malicious actions on the user's behalf. Mitigation: Users should upgrade to 3.3.0 Credit: This issue was discovered by Andrea Cosentino from Apache Software Foundation References: https://flink.apache.org/security/
