Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/python-bottle@0.8.4-1
purl pkg:deb/debian/python-bottle@0.8.4-1
Next non-vulnerable version 0.12.19-1+deb11u1
Latest non-vulnerable version 0.12.19-1+deb11u1
Risk 4.5
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-2dww-auab-gbaa
Aliases:
CVE-2016-9964
GHSA-j6f7-hghw-g437
PYSEC-2016-24
redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
0.12.7-1+deb8u2
Affected by 3 other vulnerabilities.
0.12.13-1
Affected by 2 other vulnerabilities.
VCID-6f4p-1f4y-ryag
Aliases:
CVE-2022-31799
GHSA-xhp9-4947-rq78
PYSEC-2022-227
Bottle before 0.12.20 mishandles errors during early request binding.
0.12.15-2+deb10u2
Affected by 2 other vulnerabilities.
0.12.19-1+deb11u1
Affected by 0 other vulnerabilities.
VCID-e293-3wep-hqc2
Aliases:
CVE-2014-3137
GHSA-873q-wpqr-xfgw
PYSEC-2014-77
Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.
0.10.11-1+deb7u1
Affected by 5 other vulnerabilities.
0.12.7-1
Affected by 4 other vulnerabilities.
VCID-x282-4pnd-8qa6
Aliases:
DSA-3743-2 python-bottle
regression update
0.12.7-1+deb8u2
Affected by 3 other vulnerabilities.
VCID-yhx1-tap2-h7bb
Aliases:
CVE-2020-28473
GHSA-qhx9-7hx7-cp4r
PYSEC-2021-129
SNYK-PYTHON-BOTTLE-1017108
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
0.12.19-1+deb11u1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T04:21:51.679397+00:00 Debian Oval Importer Affected by VCID-6f4p-1f4y-ryag https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T03:46:40.834674+00:00 Debian Oval Importer Affected by VCID-2dww-auab-gbaa https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T01:48:18.405540+00:00 Debian Oval Importer Affected by VCID-yhx1-tap2-h7bb https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T00:53:39.163907+00:00 Debian Oval Importer Affected by VCID-e293-3wep-hqc2 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-05T23:20:38.349599+00:00 Debian Oval Importer Affected by VCID-6f4p-1f4y-ryag https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 38.6.0
2026-06-05T21:58:14.154246+00:00 Debian Oval Importer Affected by VCID-x282-4pnd-8qa6 https://www.debian.org/security/oval/oval-definitions-jessie.xml.bz2 38.6.0
2026-06-05T21:44:07.796779+00:00 Debian Oval Importer Affected by VCID-2dww-auab-gbaa https://www.debian.org/security/oval/oval-definitions-jessie.xml.bz2 38.6.0
2026-06-04T20:30:16.696122+00:00 Debian Oval Importer Affected by VCID-e293-3wep-hqc2 https://www.debian.org/security/oval/oval-definitions-wheezy.xml.bz2 38.6.0