PT-2023-2566 · Pypi+6 · Flask+6
Twm
·
Published
2023-05-01
·
Updated
2025-11-28
·
CVE-2023-30861
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Flask versions prior to 2.3.2
Flask versions prior to 2.2.5
Description
The issue arises when a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches
Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all the following conditions being met:- The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
- The application sets
session.permanent = True. - The application does not access or modify the session at any point during a request.
SESSION REFRESH EACH REQUESTis enabled (the default).- The application does not set a
Cache-Controlheader to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set theVary: Cookieheader when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.
Recommendations
To resolve the issue for versions prior to 2.3.2, update to version 2.3.2 or later.
To resolve the issue for versions prior to 2.2.5, update to version 2.2.5 or later.
As a temporary workaround, consider setting a
Cache-Control header to indicate that a page is private or should not be cached.
Restrict access to the caching proxy to minimize the risk of exploitation.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Flask
Linuxmint
Red Os
Suse
Ubuntu