Homepage
About Snyk

HTTP Response Splitting Affecting bottle package, versions [0.10.1,0.12.11)

0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Integrity High

    Threat Intelligence

    EPSS 0.2% (58th percentile)
Expand this section
NVD
6.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-BOTTLE-40448
  • published 8 Dec 2016
  • disclosed 8 Dec 2016
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 8 Dec 2016

CVE-2016-9964 Open this link in a new tab
CWE-93 Open this link in a new tab

Overview

bottle is a Fast and simple WSGI-framework for small web-applications. It was found that redirect() in bottle.py doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.