Vulnerability CVE-2014-3137
Published: 2014-10-25   Modified: 2014-10-26

Description:
Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

Type:

CWE-20

 (Improper Input Validation)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Bottle project -> Bottle 
Bottlepy -> Bottle 

 References:
https://bugzilla.redhat.com/show_bug.cgi?id=1093255
https://github.com/defnull/bottle/issues/616
http://www.openwall.com/lists/oss-security/2014/05/01/15
http://www.debian.org/security/2014/dsa-2948
Copyright 2024, cxsecurity.com

 

Back to Top