CVE-2020-28473

NameCVE-2020-28473
DescriptionThe package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2531-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-bottle (PTS)stretch0.12.13-1vulnerable
stretch (security)0.12.13-1+deb9u1fixed
buster0.12.15-2+deb10u1fixed
bullseye, sid0.12.19-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-bottlesourcestretch0.12.13-1+deb9u1DLA-2531-1
python-bottlesourcebuster0.12.15-2+deb10u1
python-bottlesource(unstable)0.12.19-1

Notes

https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108
Fixed by: https://github.com/bottlepy/bottle/commit/57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b (0.12.19)

Search for package or bug name: Reporting problems