CVE-2020-28473 - OpenCVE

The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bottlepy	Bottle
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:a:bottlepy:bottle:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/bottlepy/bottle
https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2021-01-18T11:15:14.918598Z

Updated: 2024-09-16T20:41:35.337Z

Reserved: 2020-11-12T00:00:00

Link: CVE-2020-28473

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-18T12:15:12.707

Modified: 2021-01-28T15:57:55.260

Link: CVE-2020-28473

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "bottle", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "0.12.19", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Snyk Security Team"}], "datePublic": "2021-01-18T00:00:00", "descriptions": [{"lang": "en", "value": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 6.1, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Web Cache Poisoning", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-24T21:06:09", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/bottlepy/bottle"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"name": "[debian-lts-announce] 20210124 [SECURITY] [DLA 2531-1] python-bottle security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html"}], "title": "Web Cache Poisoning", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-01-18T11:12:14.506344Z", "ID": "CVE-2020-28473", "STATE": "PUBLIC", "TITLE": "Web Cache Poisoning"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "bottle", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}, {"version_affected": "<", "version_value": "0.12.19"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Snyk Security Team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Web Cache Poisoning"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108"}, {"name": "https://github.com/bottlepy/bottle", "refsource": "MISC", "url": "https://github.com/bottlepy/bottle"}, {"name": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/", "refsource": "CONFIRM", "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"name": "[debian-lts-announce] 20210124 [SECURITY] [DLA 2531-1] python-bottle security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:40:58.665Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bottlepy/bottle"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"name": "[debian-lts-announce] 20210124 [SECURITY] [DLA 2531-1] python-bottle security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-28473", "datePublished": "2021-01-18T11:15:14.918598Z", "dateReserved": "2020-11-12T00:00:00", "dateUpdated": "2024-09-16T20:41:35.337Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bottlepy:bottle:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C2A48B7-D939-4AB5-A241-4071D99F0033", "versionEndExcluding": "0.12.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}, {"lang": "es", "value": "El paquete bottle desde versiones 0 y anteriores a 0.12.19, es vulnerable al Envenenamiento de Cach\u00e9 Web al usar un vector llamado encubrimiento de par\u00e1metros. Cuando el atacante puede separar los par\u00e1metros de consulta usando un punto y coma (;), pueden causar una diferencia en la interpretaci\u00f3n de la petici\u00f3n entre el proxy (que se ejecuta con la configuraci\u00f3n predeterminada) y el servidor. Esto puede resultar en que las peticiones maliciosas se almacenen en cach\u00e9 como completamente seguras, ya que el proxy normalmente no ver\u00eda el punto y coma como un separador y, por lo tanto, no lo incluir\u00eda en una clave de cach\u00e9 de un par\u00e1metro sin clave"}], "id": "CVE-2020-28473", "lastModified": "2021-01-28T15:57:55.260", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "report@snyk.io", "type": "Primary"}]}, "published": "2021-01-18T12:15:12.707", "references": [{"source": "report@snyk.io", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/bottlepy/bottle"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}