Lucene search
K

6 matches found

IBM Security Bulletins
IBM Security Bulletins
added 2026/04/08 10:31 a.m.8 views

Security Bulletin: Session Cookie Exposure via Improper Cache Handling in Flask (≤ v2.3.1, ≤ v2.2.4), affects watsonx.data

Summary A vulnerability in Flask ≤ v2.3.1, ≤ v2.2.4 can cause session cookies to be exposed when responses are cached by a proxy. This occurs if sessions are permanent but not accessed during a request, combined with default cache settings. The issue is fixed in versions 2.3.2 and 2.2.5. This can...

7.5CVSS7.1AI score0.01261EPSS
Exploits1Affected Software1
Veracode
Veracode
added 2026/02/28 5:12 a.m.19 views

Sensitive Information Exposure

Flask is vulnerable to Sensitive Information Exposure. The vulnerability is due to incomplete handling of the Vary: Cookie header when accessing the session object, where certain access patterns e.g., using the in operator fail to mark responses as user-specific, allowing caching proxies to store...

4.3CVSS5.7AI score0.00374EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/19 8:45 p.m.6 views

GHSA-68RP-WP8R-4726 Flask session does not add `Vary: Cookie` header when accessed in some ways

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The...

2.3CVSS5.9AI score0.00374EPSS
Exploits0References5
Hacker One
Hacker One
added 2025/04/08 1:37 p.m.1103 views

Internet Bug Bounty: Possible Sensitive Session Information Leak in Active Storage

There was a possible sensitive session information leak in Active Storage. Active Storage incorrectly sent the user's session cookie along with a Cache-Control: public header when serving files blobs. This allowed certain caching proxies to cache the response, including the Set-Cookie header,...

6.6AI score
Exploits0
OSV
OSV
added 2024/02/27 9:41 p.m.21 views

GHSA-8H22-8CF7-HQ6G Rails has possible Sensitive Session Information Leak in Active Storage

Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxi...

5.3CVSS5.2AI score0.01119EPSS
Exploits0References9
RedHat Linux
RedHat Linux
added 2023/06/14 2:39 p.m.4 views

flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header

A flaw was found in the Python Flask package. A cached response may contain data for one client sent by a proxy to other clients, including session cookies, resulting in the compromise of data confidentiality contained in the leak requests or cookies. This happens when the following conditions ar...

7.5CVSS7.1AI score0.01261EPSS
Exploits1References6
Rows per page
Query Builder