PublicDateAtUSN: 2021-01-18 12:15:00 UTC
Candidate: CVE-2020-28473
PublicDate: 2021-01-18 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28473
 https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108
 https://github.com/bottlepy/bottle
 https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
 https://ubuntu.com/security/notices/USN-5105-1
Description:
 The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache
 Poisoning by using a vector called parameter cloaking. When the attacker
 can separate query parameters using a semicolon (;), they can cause a
 difference in the interpretation of the request between the proxy (running
 with default configuration) and the server. This can result in malicious
 requests being cached as completely safe ones, as the proxy would usually
 not see the semicolon as a separator, and therefore would not include it in
 a cache key of an unkeyed parameter.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H [6.8 MEDIUM]


Patches_python-bottle:
 upstream: https://github.com/bottlepy/bottle/commit/57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b
upstream_python-bottle: released (0.12.19-1)
precise/esm_python-bottle: DNE
trusty_python-bottle: ignored (out of standard support)
trusty/esm_python-bottle: released (0.12.0-1ubuntu0.1~esm2)
xenial_python-bottle: ignored (end of standard support, was needs-triage)
bionic_python-bottle: released (0.12.13-1ubuntu0.1)
focal_python-bottle: released (0.12.15-2.1ubuntu0.1)
groovy_python-bottle: ignored (reached end-of-life)
hirsute_python-bottle: ignored (reached end-of-life)
impish_python-bottle: needs-triage
jammy_python-bottle: needs-triage
devel_python-bottle: needs-triage