Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2023-30861

Use of Persistent Cookies Containing Sensitive Information

Published: May 02, 2023 | Modified: Aug 20, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-30861
CWEhttps://cwe.mitre.org/data/definitions/539.html

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one clients session cookie to other clients. The severity depends on the applications use of the session and the proxys behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
  2. The application sets session.permanent = True
  3. The application does not access or modify the session at any point during a request.
  4. SESSION_REFRESH_EACH_REQUEST enabled (the default).
  5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Weakness

The web application uses persistent cookies, but the cookies contain sensitive information.

Affected Software

Name Vendor Start Version End Version
Flask Palletsprojects * 2.2.5 (excluding)
Flask Palletsprojects 2.3.0 (including) 2.3.2 (excluding)
Ironic content for Red Hat OpenShift Container Platform 4.11 RedHat python-flask-1:1.1.2-6.el8 *
Ironic content for Red Hat OpenShift Container Platform 4.12 RedHat python-flask-1:2.0.1-3.el9 *
Ironic content for Red Hat OpenShift Container Platform 4.13 RedHat python-flask-2:2.0.1-4.el9.2 *
Red Hat Enterprise Linux 7 Extras RedHat python-flask-1:0.10.1-7.el7_9 *
Red Hat OpenStack Platform 16.1 RedHat python-flask-1:1.0.2-8.el8ost *
Red Hat OpenStack Platform 16.2 RedHat python-flask-1:1.0.2-8.el8ost *
Red Hat OpenStack Platform 17.0 RedHat python-flask-1:1.1.2-6.el9ost *
Red Hat Quay 3 RedHat quay/quay-rhel8:v3.10.0-150 *
Flask Ubuntu devel *
Flask Ubuntu focal *
Flask Ubuntu jammy *
Flask Ubuntu kinetic *
Flask Ubuntu lunar *
Flask Ubuntu trusty *
Flask Ubuntu xenial *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use