HTTP Response Splitting Affecting bottle package, versions [0.10.1,0.12.11)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Integrity
High
Threat Intelligence
EPSS
0.2% (58th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-BOTTLE-40448
- published 8 Dec 2016
- disclosed 8 Dec 2016
- credit Unknown
Overview
bottle
is a Fast and simple WSGI-framework for small web-applications.
It was found that redirect() in bottle.py doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.