CVE - CVE-2023-30861

CVE-ID
CVE-2023-30861	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20230818-0006/ DEBIAN:DSA-5442 URL:https://www.debian.org/security/2023/dsa-5442 MISC:https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b URL:https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b MISC:https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965 URL:https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965 MISC:https://github.com/pallets/flask/releases/tag/2.2.5 URL:https://github.com/pallets/flask/releases/tag/2.2.5 MISC:https://github.com/pallets/flask/releases/tag/2.3.2 URL:https://github.com/pallets/flask/releases/tag/2.3.2 MISC:https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq URL:https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq MLIST:[debian-lts-announce] 20230820 [SECURITY] [DLA 3536-1] flask security update URL:https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20230418	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20230418)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)