First published: Mon May 01 2023(Updated: )
When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on _all_ these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets [`session.permanent = True`](https://flask.palletsprojects.com/en/2.3.x/api/#flask.session.permanent). 2. The application does not access or modify the session at any point during a request. 4. [`SESSION_REFRESH_EACH_REQUEST`](https://flask.palletsprojects.com/en/2.3.x/config/#SESSION_REFRESH_EACH_REQUEST) is enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Palletsprojects Flask | <2.2.5 | |
Palletsprojects Flask | >=2.3.0<2.3.2 | |
debian/flask | <=1.0.2-3 | 1.0.2-3+deb10u1 1.1.2-2+deb11u1 2.2.2-3 2.2.5-1 |
IBM Watson Knowledge Catalog on-prem | <=4.x | |
pip/flask | <2.2.5 | 2.2.5 |
pip/flask | >=2.3.0<2.3.2 | 2.3.2 |
redhat/flask | <2.2.5 | 2.2.5 |
redhat/flask | <2.3.2 | 2.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-30861 is a vulnerability in Pallets Flask that could allow a remote attacker to obtain sensitive information.
The severity of CVE-2023-30861 is high with a CVSS score of 7.5.
CVE-2023-30861 affects Pallets Flask versions 2.2.5 up to, but excluding, 2.3.2.
To fix CVE-2023-30861, update Pallets Flask to version 2.3.2 or apply a suitable remedy provided by your distribution.
You can find more information about CVE-2023-30861 in the following references: - [GitHub Commit](https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b) - [Flask 2.3.2 Release](https://github.com/pallets/flask/releases/tag/2.3.2) - [Flask 2.2.5 Release](https://github.com/pallets/flask/releases/tag/2.2.5)