4 matches found
CVE-2022-31799
Bottle before 0.12.20 mishandles errors during early request binding, exposing a vulnerability that can disclose sensitive information. Public advisories confirm affected software: python-bottle up to 0.12.19/0.12.20. Debian security notes (DSA and DLA) describe the issue and recommend upgrading ...
CVE-2020-28473
CVE-2020-28473 affects the bottle Python package (versions before 0.12.19). The underlying issue is parameter cloaking: if an attacker uses semicolon to separate query parameters, the proxy and server may interpret the request differently, causing malicious requests to be cached as safe. This ena...
CVE-2016-9964
The CVE corresponds to a CRLF injection in bottle.py (bottle 0.12.10) where redirect() does not filter a "\r\n" sequence, enabling HTTP header injection. Public disclosures across multiple feeds confirm the issue is caused by improper handling of redirections, with clear remediation guidance to u...
CVE-2014-3137
CVE-2014-3137 affects Bottle: 0.10.x prior to 0.10.12, 0.11.x prior to 0.11.7, and 0.12.x prior to 0.12.6. The issue is that the framework does not properly constrain accepted Content-Types, allowing an attacker to bypass access restrictions by sending an initial accepted Content-Type followed by...