Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04NzNxLXdwcXIteGZnd84AAd8X

Bottle does not properly limit content-types

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

Permalink: https://github.com/advisories/GHSA-873q-wpqr-xfgw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NzNxLXdwcXIteGZnd84AAd8X
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago

Identifiers: GHSA-873q-wpqr-xfgw, CVE-2014-3137
References:

Repository: https://github.com/bottlepy/bottle
Blast Radius: 0.0

Affected Packages

pypi:bottle

Dependent packages: 138
Dependent repositories: 10,118
Downloads: 3,669,560 last month
Affected Version Ranges: >= 0.12.0, < 0.12.6, >= 0.11.0, < 0.11.7, >= 0.10.0, < 0.10.12
Fixed in: 0.12.6, 0.11.7, 0.10.12
All affected versions: 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5
All unaffected versions: 0.4.3, 0.4.4, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.4.14, 0.5.3, 0.5.4, 0.5.6, 0.5.7, 0.5.8, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.10.12, 0.11.7, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.12.14, 0.12.15, 0.12.16, 0.12.17, 0.12.18, 0.12.19, 0.12.20, 0.12.21, 0.12.22, 0.12.23, 0.12.24, 0.12.25