Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/bottle@0.9.3

Type pypi

Namespace

Name bottle

Version 0.9.3

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.12.20

Latest_non_vulnerable_version 0.12.20

Affected_by_vulnerabilities

url VCID-6f4p-1f4y-ryag

vulnerability_id VCID-6f4p-1f4y-ryag

summary Bottle before 0.12.20 mishandles errors during early request binding.

references

reference_url	https://github.com/advisories/GHSA-xhp9-4947-rq78
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-xhp9-4947-rq78

reference_url	https://github.com/bottlepy/bottle/commit/a2b0ee6bb4ce88895429ec4aca856616244c4c4c
reference_id
reference_type
scores
url	https://github.com/bottlepy/bottle/commit/a2b0ee6bb4ce88895429ec4aca856616244c4c4c

reference_url	https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00
reference_id
reference_type
scores
url	https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00

reference_url	https://github.com/bottlepy/bottle/compare/0.12.19...0.12.20
reference_id
reference_type
scores
url	https://github.com/bottlepy/bottle/compare/0.12.19...0.12.20

reference_url	https://lists.debian.org/debian-lts-announce/2022/06/msg00010.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2022/06/msg00010.html

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE7U6J45PUEXIYYVWJKPM6QXIRKDK4HD/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE7U6J45PUEXIYYVWJKPM6QXIRKDK4HD/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KTLOQGMDZEPIYTFC2G53OQV2ULCGYS3F/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KTLOQGMDZEPIYTFC2G53OQV2ULCGYS3F/

reference_url	https://www.debian.org/security/2022/dsa-5159
reference_id
reference_type
scores
url	https://www.debian.org/security/2022/dsa-5159

fixed_packages

url	pkg:pypi/bottle@0.12.20
purl	pkg:pypi/bottle@0.12.20
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/bottle@0.12.20

aliases CVE-2022-31799, GHSA-xhp9-4947-rq78, PYSEC-2022-227

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6f4p-1f4y-ryag

url VCID-e293-3wep-hqc2

vulnerability_id VCID-e293-3wep-hqc2

summary Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

references

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1093255
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1093255

reference_url	https://github.com/defnull/bottle/issues/616
reference_id
reference_type
scores
url	https://github.com/defnull/bottle/issues/616

reference_url	http://www.debian.org/security/2014/dsa-2948
reference_id
reference_type
scores
url	http://www.debian.org/security/2014/dsa-2948

reference_url	http://www.openwall.com/lists/oss-security/2014/05/01/15
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2014/05/01/15

fixed_packages

url pkg:pypi/bottle@0.10.12

purl pkg:pypi/bottle@0.10.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2dww-auab-gbaa

vulnerability	VCID-6f4p-1f4y-ryag

vulnerability	VCID-yhx1-tap2-h7bb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/bottle@0.10.12

url pkg:pypi/bottle@0.11.7

purl pkg:pypi/bottle@0.11.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2dww-auab-gbaa

vulnerability	VCID-6f4p-1f4y-ryag

vulnerability	VCID-yhx1-tap2-h7bb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/bottle@0.11.7

url pkg:pypi/bottle@0.12.6

purl pkg:pypi/bottle@0.12.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2dww-auab-gbaa

vulnerability	VCID-6f4p-1f4y-ryag

vulnerability	VCID-yhx1-tap2-h7bb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/bottle@0.12.6

aliases CVE-2014-3137, PYSEC-2014-77

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e293-3wep-hqc2

url VCID-yhx1-tap2-h7bb

vulnerability_id VCID-yhx1-tap2-h7bb

summary The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

references

reference_url	https://github.com/advisories/GHSA-qhx9-7hx7-cp4r
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-qhx9-7hx7-cp4r

reference_url	https://github.com/bottlepy/bottle
reference_id
reference_type
scores
url	https://github.com/bottlepy/bottle

reference_url	https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html

reference_url	https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
reference_id
reference_type
scores
url	https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/

reference_url	https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108
reference_id
reference_type
scores
url	https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108

fixed_packages

url pkg:pypi/bottle@0.12.19

purl pkg:pypi/bottle@0.12.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6f4p-1f4y-ryag

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/bottle@0.12.19

aliases CVE-2020-28473, GHSA-qhx9-7hx7-cp4r, PYSEC-2021-129, SNYK-PYTHON-BOTTLE-1017108

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yhx1-tap2-h7bb

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/bottle@0.9.3

Package Instance