CVE-2023-30861 – Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

https://notcve.org/view.php?id=CVE-2023-30861

02 May 2023 — Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. • https://github.com/JawadPy/CVE-2023-30861-Exploit • CWE-488: Exposure of Data Element to Wrong Session CWE-539: Use of Persistent Cookies Containing Sensitive Information •