CVE-2023-30861

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client&amp;#39;s `session` cookie to other clients. The severity depends on the application&amp;#39;s use of the session and the proxy&amp;#39;s behavior regarding cookies. The risk depends on all these conditions being met.<br /> <br /> 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.<br /> 2. The application sets `session.permanent = True`<br /> 3. The application does not access or modify the session at any point during a request.<br /> 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).<br /> 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.<br /> <br /> This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.