CVE-2014-3137 — Improper Input Validation in Bottle

CWE-20 — Improper Input Validation6 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.9%

top 23.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bottlepy Bottle Debian Python-bottle

Timeline

PublishedOct 25

Latest updateMay 17

Description

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶PyPIbottlepy/bottle0.10.0 — 0.10.12+2

▶debiandebian/python-bottle< python-bottle 0.12.6-1 (bookworm)

▶NVDbottlepy/bottle26 versions+25

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

Bottle does not properly limit content-types↗2022-05-17

▶

OSV

Bottle does not properly limit content-types↗2022-05-17

▶

OSV

CVE-2014-3137: Bottle 0↗2014-10-25

▶

📋Vendor Advisories

Debian

CVE-2014-3137: python-bottle - Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 doe...↗2014

▶

💬Community

Bugzilla

CVE-2014-3137 python-bottle: JSON content-type not restrictive enough↗2014-05-01

▶