There has been a Debian Security Advisory DSA-5442-1 in Flask, which affects the flask web framework. The vulnerability which was disclosed by Debian, is said to affect the flask packages which runs on the flask web framework.
The vulnerability with CVE-2023-30861 affects the following packages in the flask framework: buster, bullseye, bullseye(security), bookworm, Trixie, sid.
The CVE-2023-30861 is said to have a severity score of 7.5, which is considered to be high and compromises the confidentiality of the vulnerable system. According to NIST, the impact score is 3.6, and exploitability score is said to be 3.9.
Its exploit may disclose session cookies.
Image source: nvd.nist.gov
Description of the Vulnerability:
The flask framework, which is a light weight WSGI (Web Server Gateway Interface), is a web application framework written on python, and is used by top organizations such as MIT, Uber, Reddit, Netflix, Mozilla, Airbnb, Lyft.
According to the reports by Debian, when all the necessary conditions are met, a response that contains data which is intended for one client may be cached and subsequently sent to other clients via a proxy. The dangers of this, is that if the proxy also cached the “Set-Cookie” header, it may send “Session cookie” belonging to a specific client, to another client or clients.
Image source: bugs.debian.org
The severity is dependent upon the application’s use of the session and the proxy behavior regarding the cookies.
List of Conditions to be met:
The severity of the of the said vulnerability is dependent on a list of conditions to be met which includes but not limited to:
- The application which runs of flask framework, must be hosted behind a caching proxy (a caching proxy functions by reducing bandwidth use, and improves the speed of a website) that does not strip cookies or ignore responses with cookies.
- The application which runs of flask framework must have its set session parameters to be true e.g., ‘session.permanent=True’
- The application does not allow access or modification of the sessions at any point in time when a request is made.
- The ‘SESSION_REFRESH_EACH_REQUEST’ must be using the default settings which is ‘enabled’
- The application does not set a ‘Cache-Control’ header to show indication that a page is set to private or should not be cached. This occurs if/when a vulnerable version of Flask, sets the ‘Vary: Cookie’ header each time a session is accessed or modified, and not when it is reloaded (it updates the session with the same cookie session, when the page is reloaded) without being accessed or modified.
COOKIE SESSION DESCRIPTION:
- ‘session.permanent=True’: This allows session to be validated each time a user accesses the web application, and retain the session cookie until the PERMANENT_SESSION_LIFETIME expires, which in turn will delete the session cookie.
- ‘SESSION_REFRESH_EACH_REQUEST’: This allows a particular session cookie to be refreshed each time a page is reloaded. If set to ‘enabled’ the session cookie is permanently refreshed until the session is terminated.
Debian recommends that clients running web applications on flask framework, should get their packages updated.
UPDATED PACKAGES AND VERSION:
The updated packages is said to patch the vulnerability. The package updates and versions are as follows:
- Buster v1.0.2-3
- Bullseye 1.1.2-2
- Bullseye (security) 1.1.2-2+deb11u1
- Bookworm 2.2.2-3
- Trixie 2.2.2-3
- Sid 2.2.2-3
Please do let us know in the comment section what are your thoughts about this.