cvelist/2023/41xxx/CVE-2023-41834.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2023-41834",
        "ASSIGNER": "security@apache.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests.\u00a0Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser. \n\nUsers should upgrade to Apache Flink Stateful Functions version 3.3.0."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",
                        "cweId": "CWE-113"
                    }
                ]
            },
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",
                        "cweId": "CWE-74"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Apache Software Foundation",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Apache Flink Stateful Functions",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<=",
                                            "version_name": "3.1.0",
                                            "version_value": "3.2.0"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://lists.apache.org/thread/cvxcsdyjqc3lysj1tz7s06zwm36zvwrm",
                "refsource": "MISC",
                "name": "https://lists.apache.org/thread/cvxcsdyjqc3lysj1tz7s06zwm36zvwrm"
            },
            {
                "url": "http://www.openwall.com/lists/oss-security/2023/09/19/3",
                "refsource": "MISC",
                "name": "http://www.openwall.com/lists/oss-security/2023/09/19/3"
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.1.0-dev"
    },
    "source": {
        "discovery": "EXTERNAL"
    },
    "credits": [
        {
            "lang": "en",
            "value": "Andrea Cosentino"
        }
    ]
}