CVE-2014-3137: Bottle does not properly limit content-types

May 17, 2022 (updated September 13, 2024)

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

References

bugzilla.redhat.com/show_bug.cgi?id=1093255
github.com/advisories/GHSA-873q-wpqr-xfgw
github.com/bottlepy/bottle
github.com/bottlepy/bottle/issues/616
github.com/defnull/bottle/issues/616
github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2014-77.yaml
nvd.nist.gov/vuln/detail/CVE-2014-3137

Detect and mitigate CVE-2014-3137 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →