{"id":"PYSEC-2014-77","details":"Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.","aliases":["CVE-2014-3137","GHSA-873q-wpqr-xfgw"],"modified":"2023-11-08T03:57:37.079184Z","published":"2014-10-25T22:55:00Z","references":[{"type":"REPORT","url":"https://github.com/defnull/bottle/issues/616"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1093255"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2014/05/01/15"},{"type":"ADVISORY","url":"http://www.debian.org/security/2014/dsa-2948"}],"affected":[{"package":{"name":"bottle","ecosystem":"PyPI","purl":"pkg:pypi/bottle"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.8"},{"fixed":"0.10.12"},{"introduced":"0.11"},{"fixed":"0.11.7"},{"introduced":"0.12"},{"fixed":"0.12.6"}]}],"versions":["0.10.1","0.10.10","0.10.11","0.10.2","0.10.3","0.10.4","0.10.5","0.10.6","0.10.7","0.10.8","0.10.9","0.11.1","0.11.2","0.11.3","0.11.4","0.11.5","0.11.6","0.12.1","0.12.2","0.12.3","0.12.4","0.12.5","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/bottle/PYSEC-2014-77.yaml"}}],"schema_version":"1.7.3"}