VulnerableCode Package Details - pkg:rpm/redhat/python-flask@2:2.0.1-4.el9?arch=2

Search for packages

Vulnerability	Summary	Fixed by
VCID-6f2e-66xz-t7cu Aliases: CVE-2023-30861 GHSA-m2qf-hxjv-5gpq PYSEC-2023-62	Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.	There are no reported fixed by versions.
VCID-evjj-hwvm-fbca Aliases: CVE-2023-24538	Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution.	There are no reported fixed by versions.
VCID-yr11-kwf1-pqfz Aliases: CVE-2023-24537	Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-6f2e-66xz-t7cu
Aliases:
CVE-2023-30861
GHSA-m2qf-hxjv-5gpq
PYSEC-2023-62

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

There are no reported fixed by versions.

VCID-evjj-hwvm-fbca
Aliases:
CVE-2023-24538

Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution.

There are no reported fixed by versions.

VCID-yr11-kwf1-pqfz
Aliases:
CVE-2023-24537

Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:54:38.027840+00:00	RedHat Importer	Affected by	VCID-yr11-kwf1-pqfz	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-24537.json	38.0.0
2026-04-01T13:54:33.277985+00:00	RedHat Importer	Affected by	VCID-evjj-hwvm-fbca	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-24538.json	38.0.0
2026-04-01T13:54:00.911073+00:00	RedHat Importer	Affected by	VCID-6f2e-66xz-t7cu	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30861.json	38.0.0