Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/flask@1.0.2

Type pypi

Namespace

Name flask

Version 1.0.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.2.5

Latest_non_vulnerable_version 3.1.3

Affected_by_vulnerabilities

url VCID-nsmh-gqz9-tkat

vulnerability_id VCID-nsmh-gqz9-tkat

summary

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets `session.permanent = True`
3. The application does not access or modify the session at any point during a request.
4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).
5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30861.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30861.json

reference_url

https://github.com/pallets/flask

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/flask

reference_url

https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b

reference_url

https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965

reference_url

https://github.com/pallets/flask/releases/tag/2.2.5

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/flask/releases/tag/2.2.5

reference_url

https://github.com/pallets/flask/releases/tag/2.3.2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/flask/releases/tag/2.3.2

reference_url

https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/flask/PYSEC-2023-62.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/flask/PYSEC-2023-62.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html

reference_url

https://security.netapp.com/advisory/ntap-20230818-0006

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230818-0006

reference_url

https://www.debian.org/security/2023/dsa-5442

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5442

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035670
reference_id	1035670
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035670

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2196643
reference_id	2196643
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2196643

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-30861

reference_id

CVE-2023-30861

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-30861

reference_url	https://github.com/advisories/GHSA-m2qf-hxjv-5gpq
reference_id	GHSA-m2qf-hxjv-5gpq
reference_type
scores
url	https://github.com/advisories/GHSA-m2qf-hxjv-5gpq

reference_url	https://access.redhat.com/errata/RHSA-2023:3440
reference_id	RHSA-2023:3440
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3440

reference_url	https://access.redhat.com/errata/RHSA-2023:3444
reference_id	RHSA-2023:3444
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3444

reference_url	https://access.redhat.com/errata/RHSA-2023:3446
reference_id	RHSA-2023:3446
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3446

reference_url	https://access.redhat.com/errata/RHSA-2023:3525
reference_id	RHSA-2023:3525
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3525

reference_url	https://access.redhat.com/errata/RHSA-2023:3536
reference_id	RHSA-2023:3536
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3536

reference_url	https://access.redhat.com/errata/RHSA-2023:3541
reference_id	RHSA-2023:3541
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3541

reference_url	https://access.redhat.com/errata/RHSA-2023:3545
reference_id	RHSA-2023:3545
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3545

reference_url	https://access.redhat.com/errata/RHSA-2023:7341
reference_id	RHSA-2023:7341
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7341

fixed_packages

url	pkg:pypi/flask@2.2.5
purl	pkg:pypi/flask@2.2.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/flask@2.2.5

url	pkg:pypi/flask@2.3.2
purl	pkg:pypi/flask@2.3.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/flask@2.3.2

aliases CVE-2023-30861, GHSA-m2qf-hxjv-5gpq, PYSEC-2023-62

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nsmh-gqz9-tkat

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask@1.0.2

Package Instance