3 results (0.002 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1

CVE-2023-30861 – Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

https://notcve.org/view.php?id=CVE-2023-30861

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. • https://github.com/JawadPy/CVE-2023-30861-Exploit https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965 https://github.com/pallets/flask/releases/tag/2.2.5 https://github.com/pallets/flask/releases/tag/2.3.2 https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html https://security.netapp.com/advisory/ntap-20230818 • CWE-488: Exposure of Data Element to Wrong Session CWE-539: Use of Persistent Cookies Containing Sensitive Information •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2019-1010083

https://notcve.org/view.php?id=CVE-2019-1010083

The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656. • https://www.palletsprojects.com/blog/flask-1-0-released •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2018-1000656 – python-flask: Denial of Service via crafted JSON file

https://notcve.org/view.php?id=CVE-2018-1000656

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083. Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validación de entradas incorrecta en flask que puede dar lugar al uso de una gran cantidad de memoria, posiblemente conduciendo a una denegación de servicio (DoS). • https://github.com/pallets/flask/pull/2691 https://github.com/pallets/flask/releases/tag/0.12.3 https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html https://security.netapp.com/advisory/ntap-20190221-0001 https://usn.ubuntu.com/4378-1 https://access.redhat.com/security/cve/CVE-2018-1000656 https://bugzilla.redhat.com/show_bug.cgi?id=1623131 • CWE-20: Improper Input Validation •