Source: flask Version: 2.2.2-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for flask. CVE-2023-30861[0]: | Flask is a lightweight WSGI web application framework. When all of the | following conditions are met, a response containing data intended for | one client may be cached and subsequently sent by the proxy to other | clients. If the proxy also caches `Set-Cookie` headers, it may send | one client's `session` cookie to other clients. The severity depends | on the application's use of the session and the proxy's behavior | regarding cookies. The risk depends on all these conditions being met. | 1. The application must be hosted behind a caching proxy that does not | strip cookies or ignore responses with cookies. 2. The application | sets `session.permanent = True` 3. The application does not access or | modify the session at any point during a request. 4. | `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The | application does not set a `Cache-Control` header to indicate that a | page is private or should not be cached. This happens because | vulnerable versions of Flask only set the `Vary: Cookie` header when | the session is accessed or modified, not when it is refreshed (re-sent | to update the expiration) without being accessed or modified. This | issue has been fixed in versions 2.3.2 and 2.2.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30861 https://www.cve.org/CVERecord?id=CVE-2023-30861 [1] https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq Please adjust the affected versions in the BTS as needed. Regards, Salvatore