Fluid Attacks Database

Description

Bottle does not properly limit content-types Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	bottle	>=0.10.0 <0.10.12 \|\| >=0.11.0 <0.11.7 \|\| >=0.12.0 <0.12.6	0.10.12, 0.11.7, 0.12.6
debian 14	python-bottle	>=0 <0.12.6-1	0.12.6-1
debian 12	python-bottle	>=0 <0.12.6-1	0.12.6-1
debian 11	python-bottle	>=0 <0.12.6-1	0.12.6-1
debian 13	python-bottle	>=0 <0.12.6-1	0.12.6-1

Aliases

1. CVE-2014-31372. NVD-2014-31373. OSV-2014-31374. OSV-DEBIAN-2014-31375. GCVE-2014-31376. SECURITY-TRACKER-CVE-2014-3137

References

1. https://github.com/bottlepy/bottle/issues/6162. https://github.com/defnull/bottle/issues/6163. https://bugzilla.redhat.com/show_bug.cgi?id=10932554. https://github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2014-77.yaml5. http://www.debian.org/security/2014/dsa-29486. http://www.openwall.com/lists/oss-security/2014/05/01/15

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.