CVE-2020-28473

NameCVE-2020-28473
DescriptionThe package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2531-1, ELA-350-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-bottle (PTS)jessie, jessie (lts)0.12.7-1+deb8u4fixed
stretch (security), stretch (lts), stretch0.12.13-1+deb9u2fixed
buster, buster (security)0.12.15-2+deb10u2fixed
bullseye (security), bullseye0.12.19-1+deb11u1fixed
bookworm0.12.23-1.1fixed
sid, trixie0.12.25-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-bottlesourcejessie0.12.7-1+deb8u3ELA-350-1
python-bottlesourcestretch0.12.13-1+deb9u1DLA-2531-1
python-bottlesourcebuster0.12.15-2+deb10u1
python-bottlesource(unstable)0.12.19-1

Notes

https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108
Fixed by: https://github.com/bottlepy/bottle/commit/57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b (0.12.19)
Search for package or bug name: Reporting problems