CVE-2014-3137 – bottle

Package

Manager: pip
Name: bottle
Vulnerable Version: >=0.10.0 <0.10.12 || >=0.11.0 <0.11.7 || >=0.12.0 <0.12.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.0094 pctl0.75452

Details

Bottle does not properly limit content-types Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a `;` (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

Metadata

Created: 2022-05-17T04:19:29Z
Modified: 2024-09-13T17:57:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-873q-wpqr-xfgw
Finding: F184
Auto approve: 1