20 matches found
OPENSUSE-SU-2026:20885-1 Security update for python-Flask
This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...
Security Bulletin:Flask Vary Cookie Header Vulnerability: Use of Cache Containing Sensitive Information Fixed in 3.1.3
Summary Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not t...
OESA-2026-2136 python-flask security update
Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks...
Security update for python-Flask
This update for python-Flask fixes the following issue: CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...
SUSE-SU-2026:0849-1 Security update for python-Flask
This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...
Sensitive Information Exposure
Flask is vulnerable to Sensitive Information Exposure. The vulnerability is due to incomplete handling of the Vary: Cookie header when accessing the session object, where certain access patterns e.g., using the in operator fail to mark responses as user-specific, allowing caching proxies to store...
SUSE CVE-2026-27205
Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...
CVE-2026-27205
Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...
CVE-2026-27205
CVE-2026-27205 – Flask cache-related information disclosure (root cause: Vary: Cookie not set when session accessed) Affected: Flask 3.1.2 and below. In these versions, accessing the session object may cause a response to be cached with user-specific data, as the Vary: Cookie header is not consis...
CVE-2026-27205
Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...
Flask session does not add `Vary: Cookie` header when accessed in some ways
When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The...
GHSA-68RP-WP8R-4726 Flask session does not add `Vary: Cookie` header when accessed in some ways
When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The...
PT-2026-21353
Name of the Vulnerable Software and Affected Versions Flask versions 3.1.2 and below Description Flask, a web server gateway interface WSGI web application framework, may improperly handle caching when accessing the session object. Specifically, it may fail to set the 'Vary: Cookie' header,...
flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header
A flaw was found in the Python Flask package. A cached response may contain data for one client sent by a proxy to other clients, including session cookies, resulting in the compromise of data confidentiality contained in the leak requests or cookies. This happens when the following conditions ar...
flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header
A flaw was found in the Python Flask package. A cached response may contain data for one client sent by a proxy to other clients, including session cookies, resulting in the compromise of data confidentiality contained in the leak requests or cookies. This happens when the following conditions ar...
Information Disclosure
flask is vulnerable to Information Disclosure. The vulnerability exists due to the missing Vary cookie header in the savesession function of sessions.py, which leads to the disclosure of the session cookie, or sending data to a client who did not make the request...
GHSA-M2QF-HXJV-5GPQ Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header
When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the...
SUSE CVE-2014-1418
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...
DEBIAN-CVE-2014-1418
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...
UBUNTU-CVE-2014-1418
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...