VIR Vulnerability Intelligence Relay

CVE-2014-3137

medium
Published 2014-10-25 · Modified 2023-11-08
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
6.8
VIR risk
6.8

Description

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

Predictions

Exploit likelihood
30%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-3137

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugzilla.redhat.com/show_bug.cgi?id=1093255

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed0.12.6-1
debian debianbullseyefixed0.12.6-1
debian debianforkyfixed0.12.6-1
debian debiansidfixed0.12.6-1
debian debiantrixiefixed0.12.6-1

Package impact
EcosystemPackageVulnerableFixed
python PyPIbottle>=0.10.0,<0.10.120.10.12
python PyPIbottle>=0.11.0,<0.11.70.11.7
python PyPIbottle>=0.12.0,<0.12.60.12.6
python PyPIbottle>=0.12,<0.12.60.10.12

Application impact
VendorProductVersionsFixed
bottlepybottle0.10.0
bottlepybottle0.10.1
bottlepybottle0.10.2
bottlepybottle0.10.3
bottlepybottle0.10.4
bottlepybottle0.10.5
bottlepybottle0.10.6
bottlepybottle0.10.7
bottlepybottle0.10.8
bottlepybottle0.10.9
bottlepybottle0.10.10
bottlepybottle0.10.11
bottlepybottle0.11.0
bottlepybottle0.11.1
bottlepybottle0.11.2
bottlepybottle0.11.3
bottlepybottle0.11.4
bottlepybottle0.11.5
bottlepybottle0.11.6
bottlepybottle0.11.7
bottlepybottle0.12.0
bottlepybottle0.12.1
bottlepybottle0.12.2
bottlepybottle0.12.3
bottlepybottle0.12.4
bottlepybottle0.12.5

References

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.