CVE-2020-28473

The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

CVSS v3 6.8 MEDIUM
CVSS v2.0 5.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/bottlepy/bottle	Product Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html	Third Party Advisory
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/	Third Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bottlepy:bottle:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-01-18 12:15

Updated : 2021-01-28 15:57

NVD link : CVE-2020-28473

Mitre link : CVE-2020-28473

CVE.ORG link : CVE-2020-28473

JSON object : View

Products Affected

debian

debian_linux

bottlepy

bottle

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

{"id": "CVE-2020-28473", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.6}]}, "published": "2021-01-18T12:15:12.707", "references": [{"url": "https://github.com/bottlepy/bottle", "tags": ["Product", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}, {"lang": "es", "value": "El paquete bottle desde versiones 0 y anteriores a 0.12.19, es vulnerable al Envenenamiento de Cach\u00e9 Web al usar un vector llamado encubrimiento de par\u00e1metros. Cuando el atacante puede separar los par\u00e1metros de consulta usando un punto y coma (;), pueden causar una diferencia en la interpretaci\u00f3n de la petici\u00f3n entre el proxy (que se ejecuta con la configuraci\u00f3n predeterminada) y el servidor. Esto puede resultar en que las peticiones maliciosas se almacenen en cach\u00e9 como completamente seguras, ya que el proxy normalmente no ver\u00eda el punto y coma como un separador y, por lo tanto, no lo incluir\u00eda en una clave de cach\u00e9 de un par\u00e1metro sin clave"}], "lastModified": "2021-01-28T15:57:55.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bottlepy:bottle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C2A48B7-D939-4AB5-A241-4071D99F0033", "versionEndExcluding": "0.12.19"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}