CVE-2020-28473 Information

Description

The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;) they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones as the proxy would usually not see the semicolon as a separator and therefore would not include it in a cache key of an unkeyed parameter.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Reference

https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108 https://github.com/bottlepy/bottle https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/ https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

HIGH

Base Severity

6.8