Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| bottle(PyPI) | 0.10.0 | 0.10.12 | N/A |
| bottle(PyPI) | 0.11.0 | 0.11.7 | N/A |
| bottle(PyPI) | 0.12.0 | 0.12.6 | N/A |
CVSS Metrics
