Bug 2196643 (CVE-2023-30861)
Summary: | CVE-2023-30861 flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | amctagga, aoconnor, apevec, bcl, bdettelb, bniver, dfreiber, eglynn, flucifre, gmeno, jburrell, jjoyce, jwboyer, lhh, mbenjamin, mburns, mgarciac, mhackett, rhos-maint, rogbas, rpittau, sostapov, spower, vereddy, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | flask 2.2.5, flask 2.3.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the Python Flask package. A cached response may contain data for one client sent by a proxy to other clients, including session cookies, resulting in the compromise of data confidentiality contained in the leak requests or cookies. This happens when the following conditions are met by the proxy's behavior regarding cookies and the application's behavior session usage:
1. The caching proxy does not strip or ignore response with cookies
2. The application sets a permanent session
3. The application does not access or modify the session during requests
4. SESSION_REFRESH_EACH_REQUEST is enabled, which is the default Flask behavior
5. The application does not set the Cache-Control header to avoid being cached
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-06-07 14:59:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2196678, 2196679, 2196680, 2196681, 2196682, 2196683, 2196644, 2196645, 2196676, 2196677, 2203721, 2203722, 2203723, 2203724, 2254400 | ||
Bug Blocks: | 2196097 |
Description
Marco Benatto
2023-05-09 17:15:36 UTC
Created python-flask tracking bugs for this issue: Affects: fedora-all [bug 2196644] Affects: openstack-rdo [bug 2196645] Created python3-flask tracking bugs for this issue: Affects: epel-7 [bug 2196676] This issue has been addressed in the following products: Red Hat OpenStack Platform 17.0 Via RHSA-2023:3440 https://access.redhat.com/errata/RHSA-2023:3440 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:3444 https://access.redhat.com/errata/RHSA-2023:3444 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2023:3446 https://access.redhat.com/errata/RHSA-2023:3446 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2023:3525 https://access.redhat.com/errata/RHSA-2023:3525 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-30861 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3536 https://access.redhat.com/errata/RHSA-2023:3536 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3545 https://access.redhat.com/errata/RHSA-2023:3545 This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2023:7341 https://access.redhat.com/errata/RHSA-2023:7341 |