PT-2020-5561 · Bottle+5 · Bottle+5

Published

2020-10-13

Updated

2021-10-06

CVE-2020-28473

CVSS v2.0

9.0

High

Vector

AV:N/AC:M/Au:N/C:P/I:C/A:C

Name of the Vulnerable Software and Affected Versions bottle versions 0 through 0.12.19

Description The issue is related to Web Cache Poisoning by using a vector called parameter cloaking. When an attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Recommendations For versions 0 through 0.12.19, update to version 0.12.19 or later to resolve the issue. As a temporary workaround, consider restricting the use of semicolons in query parameters to minimize the risk of exploitation.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALT-PU-2021-1117

BDU:2021-01160

CVE-2020-28473

DLA-2531-1

GHSA-QHX9-7HX7-CP4R

MGASA-2021-0171

OESA-2021-1067

OPENSUSE-SU-2021:0302-1

OPENSUSE-SU-2021_0302-1

OPENSUSE-SU-2024:13210-1

PYSEC-2021-129

SNYK-PYTHON-BOTTLE-1017108

SUSE-SU-2021:0483-1

SUSE-SU-2021_0483-1

USN-5105-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Suse

Ubuntu

Bottle

PT-2020-5561 · Bottle+5 · Bottle+5

CVE-2020-28473

Weakness Enumeration

Related Identifiers

Affected Products

References · 37