CVE-2014-3137

2014-10-2522:55:00

CWE-20

[email protected]

web.nvd.nist.gov

cve-2014-3137

information security

bottle

content-type

remote attack

youcompleteme

code execution

vulnerability

7.1 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.035 Low

EPSS

Percentile

91.6%

JSON

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

CPENameOperatorVersion
bottlepy:bottlebottlepy bottleeq0.11.1
bottlepy:bottlebottlepy bottleeq0.12.2
bottlepy:bottlebottlepy bottleeq0.10.2
bottlepy:bottlebottlepy bottleeq0.10.3
bottlepy:bottlebottlepy bottleeq0.11.3
bottlepy:bottlebottlepy bottleeq0.11.7
bottlepy:bottlebottlepy bottleeq0.12.3
bottlepy:bottlebottlepy bottleeq0.10.5
bottlepy:bottlebottlepy bottleeq0.10.4
bottlepy:bottlebottlepy bottleeq0.11.6

CPE	Name	Operator	Version
bottlepy:bottle	bottlepy bottle	eq	0.11.1
bottlepy:bottle	bottlepy bottle	eq	0.12.2
bottlepy:bottle	bottlepy bottle	eq	0.10.2
bottlepy:bottle	bottlepy bottle	eq	0.10.3
bottlepy:bottle	bottlepy bottle	eq	0.11.3
bottlepy:bottle	bottlepy bottle	eq	0.11.7
bottlepy:bottle	bottlepy bottle	eq	0.12.3
bottlepy:bottle	bottlepy bottle	eq	0.10.5
bottlepy:bottle	bottlepy bottle	eq	0.10.4
bottlepy:bottle	bottlepy bottle	eq	0.11.6