PYSEC-2023-62
cache poisoning vulnerability in flask (PyPI)
What is PYSEC-2023-62 About?
This vulnerability in Flask can lead to cache poisoning, where a caching proxy sends one client's session cookie to others. It occurs under specific conditions related to session permanence and caching headers. The impact can range from information disclosure to session hijacking, depending on the application and proxy behavior.
Affected Software
- flask
- <70f906c51ce49c485f1d355703e9cc3386b1cc2b
- <2.2.5
- >2.3.0, <2.3.2
Technical Details
The vulnerability arises when Flask is configured with session.permanent = True and SESSION_REFRESH_EACH_REQUEST is enabled (the default), but the application does not access or modify the session during a request. In this scenario, vulnerable Flask versions only set the Vary: Cookie header when the session is explicitly accessed or modified, not merely refreshed. If such an application is behind a caching proxy that does not strip cookies or ignore responses with cookies, the proxy may cache a response containing one client's session cookie. Subsequent requests from other clients, directed to the cached response, would receive the initial client's session cookie, leading to session fixation or hijacking.
What is the Impact of PYSEC-2023-62?
Successful exploitation may allow attackers to receive another user's session cookie from a caching proxy, potentially leading to session hijacking, unauthorized access, or information disclosure.
What is the Exploitability of PYSEC-2023-62?
Exploitation requires a specific combination of conditions to be met: the application must be behind a caching proxy that does not properly handle cookies, Flask must be configured with session.permanent = True and SESSION_REFRESH_EACH_REQUEST enabled, and the application must not explicitly access or modify the session. This is a remote attack, and attackers do not need authentication to initiate the cache poisoning. The complexity is moderate due to the setup prerequisites involving both the application and the proxy. The major risk factor is the deployment of Flask applications under the described configuration behind improperly configured caching proxies.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| fromitive | Link | Flask CVE-2023-30861 Poc 환경구축 |
What are the Available Fixes for PYSEC-2023-62?
About the Fix from Resolved Security
The patch consistently adds the "Vary: Cookie" HTTP header to responses whenever the session is accessed, modified, or the session cookie is removed, ensuring caches vary content based on the presence or absence of cookies. This fixes CVE-2023-30861 by preventing cache poisoning attacks, where a shared cache might otherwise serve content intended for an authenticated user to unauthenticated users due to missing "Vary: Cookie" signaling.
Available Upgrade Options
- flask
- <2.2.5 → Upgrade to 2.2.5
- flask
- >2.3.0, <2.3.2 → Upgrade to 2.3.2
- flask
- <70f906c51ce49c485f1d355703e9cc3386b1cc2b → Upgrade to 70f906c51ce49c485f1d355703e9cc3386b1cc2b
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965
- https://www.debian.org/security/2023/dsa-5442
- https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq
- https://github.com/pallets/flask/releases/tag/2.3.2
- https://github.com/pallets/flask/releases/tag/2.2.5
- https://security.netapp.com/advisory/ntap-20230818-0006/
- https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b
- https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b
- https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html
- https://github.com/pallets/flask
What are Similar Vulnerabilities to PYSEC-2023-62?
Similar Vulnerabilities: CVE-2020-28048 , CVE-2020-28049 , CVE-2020-28050 , CVE-2020-28051 , CVE-2020-28052
