CVE-2014-3137

Severity CVSS v4.0:
Pending analysis
Type:
CWE-20 Input Validation
Publication date:
25/10/2014
Last modified:
12/04/2025

Description

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:bottlepy:bottle:0.10.0:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.2:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.3:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.4:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.5:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.6:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.7:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.8:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.9:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.10:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.10.11:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:bottlepy:bottle:0.11.2:*:*:*:*:*:*:*