Showing 1 - 8 of 8

CVE-2023-30861

Status Candidate

Overview

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Related Files

Debian Security Advisory 5442-1: Posted Jun 30, 2023; Authored by Debian | Site debian.org; Debian Linux Security Advisory 5442-1 - It was discovered that in some conditions the Flask web framework may disclose a session cookie.; tags | advisory, web; systems | linux, debian; advisories | CVE-2023-30861; SHA-256 | aa6d14052aaef5c3f2f5663a043beb788af85ae3566b7681bf1690ce3b9024ed; Download | Favorite | View

Red Hat Security Advisory 2023-3545-01: Posted Jun 15, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-3545-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.21.; tags | advisory; systems | linux, redhat; advisories | CVE-2023-24540, CVE-2023-30861; SHA-256 | c60905674f959ca73890c51d4fb0bfa1ed8a0ac8baf5e09761e6ed36f22d5253; Download | Favorite | View

Red Hat Security Advisory 2023-3536-01: Posted Jun 15, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-3536-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.3.; tags | advisory; systems | linux, redhat; advisories | CVE-2023-30861; SHA-256 | f02697a86b878b646d613e36ff5dac22db5e8a485ffe42ab75e35f396960657c; Download | Favorite | View

Red Hat Security Advisory 2023-3525-01: Posted Jun 7, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-3525-01 - Flask is a lightweight but extensible web development framework for Python based on the Werkzeug WSGI toolkit, and the Jinja 2 template engine.; tags | advisory, web, python; systems | linux, redhat; advisories | CVE-2023-30861; SHA-256 | aa0ea2323128266d3d1c561693ebe5815feb3f6880d4658b7cad4237aa890a18; Download | Favorite | View

Red Hat Security Advisory 2023-3440-01: Posted Jun 6, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-3440-01 - An update for python-flask is now available for Red Hat OpenStack Platform 17.0 (Wallaby).; tags | advisory, python; systems | linux, redhat; advisories | CVE-2023-30861; SHA-256 | 47e4172dd46e2787ee4347d55cc943f9e3299e511218414a1d47ce701e992d09; Download | Favorite | View

Red Hat Security Advisory 2023-3444-01: Posted Jun 6, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-3444-01 - An update for python-flask is now available for Red Hat OpenStack Platform 16.2 (Train).; tags | advisory, python; systems | linux, redhat; advisories | CVE-2023-30861; SHA-256 | 56b7203d2538103388c1de55e3182529a6ddf7cdfee0ed968e50b2bf7bf88990; Download | Favorite | View

Red Hat Security Advisory 2023-3446-01: Posted Jun 6, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-3446-01 - An update for python-flask is now available for Red Hat OpenStack Platform 16.1 (Train).; tags | advisory, python; systems | linux, redhat; advisories | CVE-2023-30861; SHA-256 | 5a5e6ac0bb2fb927993b0fe60a0be7e366b61c870a8d0f8cf6a30527b8e758f6; Download | Favorite | View

Ubuntu Security Notice USN-6111-1: Posted May 30, 2023; Authored by Ubuntu | Site security.ubuntu.com; Ubuntu Security Notice 6111-1 - It was discovered that Flask incorrectly handled certain data responses. An attacker could possibly use this issue to expose sensitive information.; tags | advisory; systems | linux, ubuntu; advisories | CVE-2023-30861; SHA-256 | f3bfcd4da58e2bede4e74902fc1c0e5e1ecf3fb718cae4373a7ba38a8117ca3e; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 256 files
Ubuntu 87 files
Gentoo 31 files
Debian 19 files
tmrswrr 8 files
Sina Kheirkhah 7 files
Rodolfo Tavares 4 files
bRpsd 3 files
nu11secur1ty 3 files
h00die-gr3y 2 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,448)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,344)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,672)
UNIX (9,427)
UnixWare (187)
Windows (6,666)
Other

CVE-2023-30861

Overview

Related Files

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems