PT-2016-7891 · Bottle · Bottle

Altop

Published

2016-12-16

Updated

2022-05-17

CVE-2016-9964

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions bottle versions 0.12.10

Description The issue concerns a CRLF attack due to the redirect() function in bottle.py not filtering a "r " sequence. This is demonstrated by a redirect("233r Set-Cookie: name=salt") call, which can lead to security issues.

Recommendations For version 0.12.10, consider disabling the redirect() function until a patch is available to prevent potential CRLF attacks. Restrict access to the redirect() function to minimize the risk of exploitation. Avoid using the redirect() function with unfiltered user input until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-93

Related Identifiers

CVE-2016-9964

DLA-761-1

DSA-3743-1

DSA-3743-2

GHSA-J6F7-HGHW-G437

MGASA-2017-0031

OPENSUSE-SU-2024:11220-1

PYSEC-2016-24

Affected Products

Bottle

PT-2016-7891 · Bottle · Bottle

CVE-2016-9964

Weakness Enumeration

Related Identifiers

Affected Products

References · 24