Description
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache
Poisoning by using a vector called parameter cloaking. When the attacker
can separate query parameters using a semicolon (;), they can cause a
difference in the interpretation of the request between the proxy (running
with default configuration) and the server. This can result in malicious
requests being cached as completely safe ones, as the proxy would usually
not see the semicolon as a separator, and therefore would not include it in
a cache key of an unkeyed parameter.
Updated: 2022-04-25 00:49:37 UTC (commit ecc1009cb19540b950de59270950018900f37f15)