236 行
9.0 KiB
JSON
236 行
9.0 KiB
JSON
{
|
|
"canonical_id": "flask--CVE-2026-27205",
|
|
"system_id": "flask",
|
|
"display_name": "Flask",
|
|
"category": "frameworks",
|
|
"advisory_mode": "core",
|
|
"title": "Flask session does not add `Vary: Cookie` header when accessed in some ways",
|
|
"summary": "When the `session` object is accessed, Flask should set the `Vary: Cookie` header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python `in` operator were overlooked.\n\nThe severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not ignore responses with cookies.\n2. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.",
|
|
"published_at": "2026-02-19T20:45:41Z",
|
|
"updated_at": "2026-02-23T23:43:45.778179Z",
|
|
"severity": "medium",
|
|
"cvss_score": 4.0,
|
|
"exploit_status": "unknown",
|
|
"source_confidence": "official",
|
|
"official_source_url": "https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-27205",
|
|
"https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4",
|
|
"https://github.com/pallets/flask",
|
|
"https://github.com/pallets/flask/releases/tag/3.1.3"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-27205",
|
|
"GHSA-68rp-wp8r-4726"
|
|
],
|
|
"cve_ids": [
|
|
"CVE-2026-27205"
|
|
],
|
|
"ghsa_ids": [
|
|
"GHSA-68rp-wp8r-4726"
|
|
],
|
|
"osv_ids": [
|
|
"GHSA-68rp-wp8r-4726"
|
|
],
|
|
"affected_versions": [
|
|
"0.1",
|
|
"0.10",
|
|
"0.10.1",
|
|
"0.11",
|
|
"0.11.1",
|
|
"0.12",
|
|
"0.12.1",
|
|
"0.12.2",
|
|
"0.12.3",
|
|
"0.12.4",
|
|
"0.12.5",
|
|
"0.2",
|
|
"0.3",
|
|
"0.3.1",
|
|
"0.4",
|
|
"0.5",
|
|
"0.5.1",
|
|
"0.5.2",
|
|
"0.6",
|
|
"0.6.1",
|
|
"introduced=0, fixed<3.1.3"
|
|
],
|
|
"fixed_versions": [
|
|
"3.1.3"
|
|
],
|
|
"package_name": "flask",
|
|
"render_markdown": true,
|
|
"case_path": "07-framework-security/frameworks/flask/cases/flask-cve-2026-27205.md",
|
|
"secure_code_topics": [
|
|
"xss-output-encoding",
|
|
"ssrf-url-validation",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"status": "generated",
|
|
"triage_reasons": [],
|
|
"entity_refs": [
|
|
{
|
|
"entity_id": "flask",
|
|
"entity_type": "system",
|
|
"relation": "root-system",
|
|
"root_system_id": "flask",
|
|
"official": true
|
|
},
|
|
{
|
|
"entity_id": "flask--project--flask",
|
|
"entity_type": "project",
|
|
"relation": "affected-component",
|
|
"root_system_id": "flask",
|
|
"official": false
|
|
}
|
|
],
|
|
"affected_components": [
|
|
{
|
|
"name": "flask",
|
|
"entity_id": "flask--project--flask",
|
|
"scope": "package",
|
|
"package_name": "flask",
|
|
"official": false
|
|
}
|
|
],
|
|
"affected_version_ranges": [
|
|
"0.1",
|
|
"0.10",
|
|
"0.10.1",
|
|
"0.11",
|
|
"0.11.1",
|
|
"0.12",
|
|
"0.12.1",
|
|
"0.12.2",
|
|
"0.12.3",
|
|
"0.12.4",
|
|
"0.12.5",
|
|
"0.2",
|
|
"0.3",
|
|
"0.3.1",
|
|
"0.4",
|
|
"0.5",
|
|
"0.5.1",
|
|
"0.5.2",
|
|
"0.6",
|
|
"0.6.1",
|
|
"introduced=0, fixed<3.1.3"
|
|
],
|
|
"fixed_version_ranges": [
|
|
"3.1.3"
|
|
],
|
|
"introduced_version": "introduced=0, fixed<3.1.3",
|
|
"patched_version": "3.1.3",
|
|
"version_evidence_sources": [
|
|
"https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-27205",
|
|
"https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4",
|
|
"https://github.com/pallets/flask",
|
|
"https://github.com/pallets/flask/releases/tag/3.1.3"
|
|
],
|
|
"advisory_scope": "package",
|
|
"version_confidence": "high",
|
|
"version_gap_reason": "",
|
|
"version_resolution_needed": false,
|
|
"workflow": {
|
|
"workflow_id": "flask--CVE-2026-27205--workflow",
|
|
"vuln_family": "xss",
|
|
"entry_surface": "web-ui-render-path",
|
|
"preconditions": [
|
|
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
|
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: 0.1, 0.10, 0.10.1",
|
|
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `package`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
|
],
|
|
"required_role": "editor-or-admin",
|
|
"affected_version_assertion": [
|
|
"0.1",
|
|
"0.10",
|
|
"0.10.1",
|
|
"0.11",
|
|
"0.11.1",
|
|
"0.12",
|
|
"0.12.1",
|
|
"0.12.2",
|
|
"0.12.3",
|
|
"0.12.4",
|
|
"0.12.5",
|
|
"0.2",
|
|
"0.3",
|
|
"0.3.1",
|
|
"0.4",
|
|
"0.5",
|
|
"0.5.1",
|
|
"0.5.2",
|
|
"0.6",
|
|
"0.6.1",
|
|
"introduced=0, fixed<3.1.3"
|
|
],
|
|
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
|
"request_or_ui_path": [
|
|
"/admin/editor",
|
|
"/preview",
|
|
"/rendered-content"
|
|
],
|
|
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
|
|
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
|
|
"server_evidence_points": [
|
|
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
|
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
|
],
|
|
"browser_evidence_points": [
|
|
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
|
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
|
],
|
|
"db_or_fs_evidence_points": [
|
|
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
|
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
|
],
|
|
"detection_signals": [
|
|
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
|
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
|
],
|
|
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
|
"patch_validation_steps": [
|
|
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `0.1, 0.10, 0.10.1` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `3.1.3`\u3002",
|
|
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
|
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
|
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
|
],
|
|
"lab_safety_notes": [
|
|
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
|
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
|
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
|
],
|
|
"review_state": "ready"
|
|
},
|
|
"verification_status": "triage-manual",
|
|
"verification_mode": "synthetic",
|
|
"last_verified_at": null,
|
|
"last_run_id": null,
|
|
"evidence_bundle": null,
|
|
"historical_status": null,
|
|
"latest_status": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
},
|
|
"repro_profile_id": "xss-generic",
|
|
"artifact_mode": "synthetic",
|
|
"blocked_reason": null,
|
|
"metadata": {
|
|
"source_names": [
|
|
"OSV Flask"
|
|
],
|
|
"source_kinds": [
|
|
"osv-batch"
|
|
],
|
|
"candidate_count": 1,
|
|
"entity_ref_count": 2,
|
|
"advisory_scope": "package",
|
|
"version_confidence": "high",
|
|
"workflow_id": "flask--CVE-2026-27205--workflow"
|
|
}
|
|
}
|