CVE-2023-30861 - Unintended Response Caching in Flask Applications Leading to Session Leakage
Flask, a widely used lightweight WSGI web application framework, was recently discovered to have a security vulnerability that could lead to response caching, which includes data intended for one client being sent to other clients. This vulnerability is identified as CVE-2023-30861. In certain conditions, the proxy may also cache the Set-Cookie headers, sending one client's session cookie to other clients, causing a potential session leakage. In this post, we will discuss the details of this vulnerability, provide code snippets, and link to original references and resources for mitigation.
In order for the vulnerability to be present, the following conditions must be met
1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
SESSION_REFRESH_EACH_REQUEST enabled (the default).
5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
Here's an example of a vulnerable Flask application code
from flask import Flask, session
app = Flask(__name__)
app.config['SECRET_KEY'] = 'mysecretkey'
app.config['SESSION_REFRESH_EACH_REQUEST'] = True
@app.route('/')
def index():
session.permanent = True
return 'Hello, World!'
This vulnerability exists because affected versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.
To fix the issue, it is highly recommended that developers update their Flask applications to versions 2.3.2 or 2.2.5, which have patched this vulnerability. You can find more information about the fixed versions in the Flask changelog and GitHub repository.
Additionally, developers should ensure that their caching proxy configuration is set to strip cookies from cached responses, as that would also help mitigate this issue. Here is an example of a configuration for the popular Nginx caching proxy that strips cookies from cached responses:
proxy_ignore_headers Set-Cookie;
proxy_hide_header Set-Cookie;
In conclusion, Flask applications that meet the aforementioned conditions should be updated to versions 2.3.2 or 2.2.5, and developers should make sure their caching proxy configurations strip cookies or ignore responses with cookies to mitigate unintended response caching and potential session leakage.
For further reading and understanding of the vulnerability and possible exploitation, refer to the following sources:
1. Flask Security Advisory
2. Flask CVE-2023-30861 Issue
3. Discussion on Reddit
4. Nginx Config Documentation
Feel free to share your thoughts or questions about this vulnerability in the comments below. Stay safe and keep your Flask applications updated!
Timeline
Published on: 05/02/2023 18:15:00 UTC
Last modified on: 05/10/2023 03:55:00 UTC