Debian Bug report logs -
#1035670
flask: CVE-2023-30861: Possible disclosure of permanent session cookie due to missing Vary: Cookie header
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1035670; Package src:flask.
(Sun, 07 May 2023 15:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Sun, 07 May 2023 15:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: flask
Version: 2.2.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for flask.
CVE-2023-30861[0]:
| Flask is a lightweight WSGI web application framework. When all of the
| following conditions are met, a response containing data intended for
| one client may be cached and subsequently sent by the proxy to other
| clients. If the proxy also caches `Set-Cookie` headers, it may send
| one client's `session` cookie to other clients. The severity depends
| on the application's use of the session and the proxy's behavior
| regarding cookies. The risk depends on all these conditions being met.
| 1. The application must be hosted behind a caching proxy that does not
| strip cookies or ignore responses with cookies. 2. The application
| sets `session.permanent = True` 3. The application does not access or
| modify the session at any point during a request. 4.
| `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The
| application does not set a `Cache-Control` header to indicate that a
| page is private or should not be cached. This happens because
| vulnerable versions of Flask only set the `Vary: Cookie` header when
| the session is accessed or modified, not when it is refreshed (re-sent
| to update the expiration) without being accessed or modified. This
| issue has been fixed in versions 2.3.2 and 2.2.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-30861
https://www.cve.org/CVERecord?id=CVE-2023-30861
[1] https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon May 8 13:12:11 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon