Flask Vary Cookie Header Omission Vulnerability in Session Management

A vulnerability exists in Flask, a WSGI web application framework, in versions prior to 3.1.3. When the session object is accessed, Flask is supposed to add a 'Vary: Cookie' header to the response. This header is crucial as it tells caches not to store the response, which may contain user-specific information. While this is generally implemented correctly, certain access methods, such as the Python 'in' operator, were missed. The vulnerability can lead to caching sensitive information if the application is behind a caching proxy that does not disregard cookie-laden responses, fails to set a 'Cache-Control' header to mark pages as private or non-cacheable, and accesses the session in a manner that only interacts with keys without reading values or altering the session.

Impact

Exploitation of this vulnerability can result in caches storing sensitive information, potentially leading to unauthorized access to user-specific data.

Reproduction

To reproduce this vulnerability, deploy a Flask application version prior to 3.1.3 behind a caching proxy that does not ignore cookies. Ensure that the application does not set 'Cache-Control' headers to indicate privacy or non-cacheability'. Access the session using the 'in' operator, which will trigger the vulnerability by not marking the session as accessed, thereby omitting the necessary 'Vary: Cookie' header.

Remediation

Upgrade Flask to version 3.1.3 or later, where this vulnerability has been fixed.