CVE-2014-3137
Published: 25 October 2014
Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.
From the Ubuntu Security Team
It was discovered that Bottle does not properly limit content types. A remote attacker could possibly use this to execute arbitrary code.
Priority
Status
Package | Release | Status |
---|---|---|
python-bottle Launchpad, Ubuntu, Debian |
impish |
Not vulnerable
(0.12.6-1)
|
artful |
Not vulnerable
(0.12.6-1)
|
|
bionic |
Not vulnerable
(0.12.6-1)
|
|
cosmic |
Not vulnerable
(0.12.6-1)
|
|
disco |
Not vulnerable
(0.12.6-1)
|
|
eoan |
Not vulnerable
(0.12.6-1)
|
|
focal |
Not vulnerable
(0.12.6-1)
|
|
groovy |
Not vulnerable
(0.12.6-1)
|
|
lucid |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
upstream |
Released
(0.12.6-1)
|
|
utopic |
Not vulnerable
(0.12.6-1)
|
|
wily |
Not vulnerable
(0.12.6-1)
|
|
xenial |
Not vulnerable
(0.12.6-1)
|
|
yakkety |
Not vulnerable
(0.12.6-1)
|
|
zesty |
Not vulnerable
(0.12.6-1)
|
|
trusty |
Released
(0.12.0-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
vivid |
Not vulnerable
(0.12.6-1)
|
|
hirsute |
Not vulnerable
(0.12.6-1)
|
|
jammy |
Not vulnerable
(0.12.6-1)
|