CVE-2020-28473 - OpenCVE

The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Bottlepy	Bottle

Configuration 1 [-]

cpe:2.3:a:bottlepy:bottle:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/bottlepy/bottle	Product Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html	Third Party Advisory
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/	Third Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2021-01-18T00:00:00

Updated: 2021-01-24T21:06:09

Reserved: 2020-11-12T00:00:00

Link: CVE-2020-28473

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-18T12:15:12.707

Modified: 2021-01-28T15:57:55.260

Link: CVE-2020-28473

JSON object: View

Redhat Information

No data.

CWE

CWE-444

{"containers": {"cna": {"affected": [{"product": "bottle", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "0.12.19", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Snyk Security Team"}], "datePublic": "2021-01-18T00:00:00", "descriptions": [{"lang": "en", "value": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 6.1, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Web Cache Poisoning", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-24T21:06:09", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/bottlepy/bottle"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"name": "[debian-lts-announce] 20210124 [SECURITY] [DLA 2531-1] python-bottle security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html"}], "title": "Web Cache Poisoning", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-01-18T11:12:14.506344Z", "ID": "CVE-2020-28473", "STATE": "PUBLIC", "TITLE": "Web Cache Poisoning"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "bottle", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}, {"version_affected": "<", "version_value": "0.12.19"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Snyk Security Team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Web Cache Poisoning"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108"}, {"name": "https://github.com/bottlepy/bottle", "refsource": "MISC", "url": "https://github.com/bottlepy/bottle"}, {"name": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/", "refsource": "CONFIRM", "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"name": "[debian-lts-announce] 20210124 [SECURITY] [DLA 2531-1] python-bottle security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-28473", "datePublished": "2021-01-18T00:00:00", "dateReserved": "2020-11-12T00:00:00", "dateUpdated": "2021-01-24T21:06:09", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bottlepy:bottle:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C2A48B7-D939-4AB5-A241-4071D99F0033", "versionEndExcluding": "0.12.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}, {"lang": "es", "value": "El paquete bottle desde versiones 0 y anteriores a 0.12.19, es vulnerable al Envenenamiento de Cach\u00e9 Web al usar un vector llamado encubrimiento de par\u00e1metros. Cuando el atacante puede separar los par\u00e1metros de consulta usando un punto y coma (;), pueden causar una diferencia en la interpretaci\u00f3n de la petici\u00f3n entre el proxy (que se ejecuta con la configuraci\u00f3n predeterminada) y el servidor. Esto puede resultar en que las peticiones maliciosas se almacenen en cach\u00e9 como completamente seguras, ya que el proxy normalmente no ver\u00eda el punto y coma como un separador y, por lo tanto, no lo incluir\u00eda en una clave de cach\u00e9 de un par\u00e1metro sin clave"}], "id": "CVE-2020-28473", "lastModified": "2021-01-28T15:57:55.260", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "report@snyk.io", "type": "Primary"}]}, "published": "2021-01-18T12:15:12.707", "references": [{"source": "report@snyk.io", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/bottlepy/bottle"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}