CVE-2023-30861: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header
(updated )
When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client’s session cookie to other clients. The severity depends on the application’s use of the session, and the proxy’s behavior regarding cookies. The risk depends on all these conditions being met.
References
- github.com/advisories/GHSA-m2qf-hxjv-5gpq
- github.com/pallets/flask
- github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b
- github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965
- github.com/pallets/flask/releases/tag/2.2.5
- github.com/pallets/flask/releases/tag/2.3.2
- github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq
- github.com/pypa/advisory-database/tree/main/vulns/flask/PYSEC-2023-62.yaml
- lists.debian.org/debian-lts-announce/2023/08/msg00024.html
- nvd.nist.gov/vuln/detail/CVE-2023-30861
- security.netapp.com/advisory/ntap-20230818-0006
- www.debian.org/security/2023/dsa-5442
Code Behaviors & Features
Detect and mitigate CVE-2023-30861 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →