CVE-2020-28473: Web Cache Poisoning
First published: Mon Jan 18 2021(Updated: )
The package bottle before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/bottle | <0.12.19 | 0.12.19 |
| Bottle | <0.12.19 | |
| Debian | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-28473
- https://github.com/bottlepy/bottle/commit/57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b
- https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html
- https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
- https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108
- https://github.com/advisories/GHSA-qhx9-7hx7-cp4r (Advisory)
- https://github.com/bottlepy/bottle
- https://github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2021-129.yaml
- https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages
Frequently Asked Questions
What is the severity of CVE-2020-28473?
CVE-2020-28473 is classified as a moderate severity vulnerability due to its potential for web cache poisoning.
What versions of the Bottle package are affected by CVE-2020-28473?
CVE-2020-28473 affects Bottle versions prior to 0.12.19.
How do I fix CVE-2020-28473?
To fix CVE-2020-28473, upgrade the Bottle package to version 0.12.19 or later.
What kind of attacks can CVE-2020-28473 facilitate?
CVE-2020-28473 can facilitate web cache poisoning attacks through parameter cloaking.
On which platforms is CVE-2020-28473 relevant?
CVE-2020-28473 is relevant primarily on systems using the Bottle package and affected Debian distributions.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qhx9-7hx7-cp4r
- alias/CVE-2020-28473
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- vendor/bottlepy
- canonical/bottle
- vendor/debian
- canonical/debian
- version/debian/9.0