Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-30861

Disclosure Date: May 02, 2023 •

CVE-2023-30861 CVSS v3 Base Score: 7.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client’s session cookie to other clients. The severity depends on the application’s use of the session and the proxy’s behavior regarding cookies. The risk depends on all these conditions being met.

The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
The application sets session.permanent = True
The application does not access or modify the session at any point during a request.
SESSION_REFRESH_EACH_REQUEST enabled (the default).
The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

palletsprojects

Products

flask

References

Canonical

CVE-2023-30861 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30861)

Miscellaneous

https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq

https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b

https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965

https://github.com/pallets/flask/releases/tag/2.2.5

https://github.com/pallets/flask/releases/tag/2.3.2

https://www.debian.org/security/2023/dsa-5442

https://security.netapp.com/advisory/ntap-20230818-0006/

https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html

Rapid7

Unknown

CVE-2023-30861

Unknown

Unknown

None

None

Network

CVE-2023-30861

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-30861

Unknown

Unknown

None

None

Network

CVE-2023-30861

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification