{"id":"PYSEC-2016-24","details":"redirect() in bottle.py in bottle 0.12.10 doesn't filter a \"\\r\\n\" sequence, which leads to a CRLF attack, as demonstrated by a redirect(\"233\\r\\nSet-Cookie: name=salt\") call.","aliases":["CVE-2016-9964","GHSA-j6f7-hghw-g437"],"modified":"2023-11-08T03:58:39.635834Z","published":"2016-12-16T09:59:00Z","references":[{"type":"REPORT","url":"https://github.com/bottlepy/bottle/issues/913"},{"type":"FIX","url":"https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54"},{"type":"WEB","url":"http://www.securityfocus.com/bid/94961"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3743"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-j6f7-hghw-g437"}],"affected":[{"package":{"name":"bottle","ecosystem":"PyPI","purl":"pkg:pypi/bottle"},"ranges":[{"type":"GIT","repo":"https://github.com/bottlepy/bottle","events":[{"introduced":"0"},{"fixed":"6d7e13da0f998820800ecb3fe9ccee4189aefb54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0.10.1"},{"fixed":"0.12.11"}]}],"versions":["0.10.1","0.10.10","0.10.11","0.10.12","0.10.2","0.10.3","0.10.4","0.10.5","0.10.6","0.10.7","0.10.8","0.10.9","0.11.1","0.11.2","0.11.3","0.11.4","0.11.5","0.11.6","0.11.7","0.12.1","0.12.10","0.12.2","0.12.3","0.12.4","0.12.5","0.12.6","0.12.7","0.12.8","0.12.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/bottle/PYSEC-2016-24.yaml"}}],"schema_version":"1.7.3"}