CVE-2014-3137
python-bottle - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.94%
Description
Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.
How to fix CVE-2014-3137
To remediate CVE-2014-3137, upgrade the affected package to a fixed version below.
- —upgrade to 0.12.6-1 or later
- —upgrade to 0.10.11-1+deb7u1 or later
- —upgrade to 0.10.12 or later
- —upgrade to 0.10.12 or later
Is CVE-2014-3137 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 0.12.6-1
- from 0, < 0.10.11-1+deb7u1
- >= 0.10.0, < 0.10.12
- >= 0.8, < 0.10.12, >= 0.11, < 0.11.7, >= 0.12, < 0.12.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |