CVE-2023-30861: 
Podman vulnerability analysis and mitigation

CVE-2023-30861 is a security vulnerability in Flask, a lightweight WSGI web application framework. The vulnerability was discovered in May 2023 and affects Flask versions prior to 2.3.2 and 2.2.5. The issue occurs when Flask fails to properly set the Vary: Cookie header when the session is refreshed without being accessed or modified, potentially leading to the disclosure of permanent session cookies (Flask Advisory).

The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue manifests when specific conditions are met: the application must be hosted behind a caching proxy that doesn't strip cookies, session.permanent is set to True, the session isn't accessed during a request, SESSION_REFRESH_EACH_REQUEST is enabled (default), and no Cache-Control header is set to prevent caching (Flask Advisory).

When successfully exploited, this vulnerability could lead to the disclosure of sensitive information. Specifically, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients, potentially compromising session security (NetApp Advisory).

The vulnerability has been fixed in Flask versions 2.3.2 and 2.2.5. Organizations are recommended to upgrade to these patched versions to address the security issue. For systems that cannot be immediately updated, ensuring proper Cache-Control headers are set or modifying the session access pattern could help mitigate the risk (Red Hat Advisory).

Multiple major organizations and Linux distributions have responded to this vulnerability by issuing security advisories and patches, including Red Hat, Debian, and NetApp. Debian released security updates for both oldstable (bullseye) and LTS distributions (Debian Advisory, Debian LTS).