Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.
2014-10-25T22:55:04.227
2025-04-12T10:46:40.837
Deferred
CVSSv2: 6.8 (MEDIUM)
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | bottlepy | bottle | 0.10.0 | Yes |
| Application | bottlepy | bottle | 0.10.1 | Yes |
| Application | bottlepy | bottle | 0.10.2 | Yes |
| Application | bottlepy | bottle | 0.10.3 | Yes |
| Application | bottlepy | bottle | 0.10.4 | Yes |
| Application | bottlepy | bottle | 0.10.5 | Yes |
| Application | bottlepy | bottle | 0.10.6 | Yes |
| Application | bottlepy | bottle | 0.10.7 | Yes |
| Application | bottlepy | bottle | 0.10.8 | Yes |
| Application | bottlepy | bottle | 0.10.9 | Yes |
| Application | bottlepy | bottle | 0.10.10 | Yes |
| Application | bottlepy | bottle | 0.10.11 | Yes |
| Application | bottlepy | bottle | 0.11.0 | Yes |
| Application | bottlepy | bottle | 0.11.1 | Yes |
| Application | bottlepy | bottle | 0.11.2 | Yes |
| Application | bottlepy | bottle | 0.11.3 | Yes |
| Application | bottlepy | bottle | 0.11.4 | Yes |
| Application | bottlepy | bottle | 0.11.5 | Yes |
| Application | bottlepy | bottle | 0.11.6 | Yes |
| Application | bottlepy | bottle | 0.11.7 | Yes |
| Application | bottlepy | bottle | 0.12.0 | Yes |
| Application | bottlepy | bottle | 0.12.1 | Yes |
| Application | bottlepy | bottle | 0.12.2 | Yes |
| Application | bottlepy | bottle | 0.12.3 | Yes |
| Application | bottlepy | bottle | 0.12.4 | Yes |
| Application | bottlepy | bottle | 0.12.5 | Yes |