#VU77305 Inconsistent interpretation of HTTP requests in Bottle - CVE-2020-28473

Cybersecurity Help s.r.o.

Published: 2023-06-14

Vulnerability identifier: #VU77305

Vulnerability risk: High

CVSSv4.0: 2.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-28473

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Bottle
Server applications / Frameworks for developing and running applications

Vendor: Bottle Micro Web Framework

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to the usage of a vector called parameter cloaking. A remote attacker can trick the victim into opening a specially crafted HTTP request, smuggle arbitrary HTTP headers and cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Bottle: before 0.12.19

External links
https://github.com/bottlepy/bottle
https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Splunk Python for Scientific Computing update for third-party packages

Inconsistent interpretation of HTTP requests in IBM Cloud Pak for Data System

Inconsistent interpretation of HTTP requests in IBM Integrated Analytics System

Fedora EPEL 7 update for python-bottle

Ubuntu update for python-bottle

openEuler update for python-bottle