CVE-2014-3137

Bottle < 0.10.12, 0.11.7, 0.12.6 - Unauthenticated Content-Type Restriction Bypass

Title source: llm
STIX 2.1

Description

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

References (4)

Core 4
Core References
Issue Tracking x_refsource_confirm
https://github.com/defnull/bottle/issues/616
Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1093255
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/05/01/15
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2948

Scores

EPSS 0.0310
EPSS Percentile 86.2%

Details

CWE
CWE-20
Status published
Products (27)
bottlepy/bottle 0.10.0
bottlepy/bottle 0.10.1
bottlepy/bottle 0.10.2
bottlepy/bottle 0.10.3
bottlepy/bottle 0.10.4
bottlepy/bottle 0.10.5
bottlepy/bottle 0.10.6
bottlepy/bottle 0.10.7
bottlepy/bottle 0.10.8
bottlepy/bottle 0.10.9
... and 17 more
Published Oct 25, 2014
Tracked Since Feb 18, 2026