Vulnerability Name:

CVE-2016-9964 (CCN-119908)

Assigned:2016-12-16
Published:2016-12-16
Updated:2017-01-11
Summary:redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-93
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2016-9964

Source: CCN
Type: CA20160405-01
Security Notice for CA API Gateway

Source: DEBIAN
Type: Third Party Advisory
DSA-3743

Source: BID
Type: Third Party Advisory, VDB Entry
94961

Source: CCN
Type: BID-94961
Bottle CVE-2016-9964 CRLF Injection Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
bottle-cve20169964-crlf-injection(119908)

Source: CCN
Type: bottle GIT Repository
fix #913: Harden bottle against malformed headers.

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/bottlepy/bottle/issues/913

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-9964

Vulnerable Configuration:Configuration 1:
  • cpe:/a:bottlepy:bottle:0.12.10:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:bottlepy:bottle:0.12.10:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20169964
    V
    CVE-2016-9964
    2023-06-22
    oval:org.opensuse.security:def:7974
    P
    python3-bottle-0.12.13-150000.3.6.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:709
    P
    Security update for dpdk (Important)
    2022-08-23
    oval:org.opensuse.security:def:3351
    P
    radvd-1.9.7-2.12 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:1401
    P
    Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Important) (in QA)
    2022-06-27
    oval:org.opensuse.security:def:94981
    P
    python3-bottle-0.12.13-3.3.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:250
    P
    openslp-2.0.0-6.15.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:1511
    P
    Security update for java-11-openjdk (Important)
    2022-05-03
    oval:org.opensuse.security:def:1155
    P
    Security update for go1.16 (Important)
    2022-04-12
    oval:org.opensuse.security:def:957
    P
    Security update for wpa_supplicant (Important)
    2022-03-04
    oval:org.opensuse.security:def:113199
    P
    python-bottle-doc-0.12.19-1.8 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:70029
    P
    Security update for libsndfile (Important)
    2022-01-11
    oval:org.opensuse.security:def:819
    P
    Security update for aaa_base (Moderate)
    2021-12-03
    oval:org.opensuse.security:def:1045
    P
    Security update for MozillaFirefox (Important)
    2021-11-19
    oval:org.opensuse.security:def:64599
    P
    Security update for apache2 (Important)
    2021-10-26
    oval:org.opensuse.security:def:1271
    P
    Security update for the Linux Kernel (Live Patch 3 for SLE 15 SP3) (Important)
    2021-10-12
    oval:org.opensuse.security:def:106619
    P
    python-bottle-doc-0.12.19-1.8 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:1737
    P
    Security update for the Linux Kernel (Important)
    2021-09-23
    oval:org.opensuse.security:def:71193
    P
    glibc-2.26-13.19.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:71306
    P
    libpython3_6m1_0-3.6.5-3.11.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:71273
    P
    liblcms2-2-2.9-3.3.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:71386
    P
    radvd-2.17-3.18 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:1627
    P
    Security update for xen (Important)
    2021-09-02
    oval:org.opensuse.security:def:1478
    P
    Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 (Moderate)
    2021-08-23
    oval:org.opensuse.security:def:47231
    P
    cups-1.7.5-19.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48229
    P
    libxslt-tools-1.1.28-17.6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48041
    P
    hardlink-1.0-6.38 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47939
    P
    MozillaFirefox-68.1.0-109.92.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47100
    P
    libzip2-0.11.1-12.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47928
    P
    xorg-x11-server-1.19.6-2.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47245
    P
    dstat-0.7.2-1.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48291
    P
    qemu-3.1.1.1-1.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47340
    P
    libecpg6-9.6.3-2.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48255
    P
    pam-modules-12.1-23.12 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48031
    P
    gstreamer-1.8.3-9.5 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47232
    P
    cups-filters-1.0.58-17.11 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47999
    P
    ecryptfs-utils-103-8.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47366
    P
    libkde4-32bit-4.12.0-10.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48356
    P
    zoo-2.10-1020.56 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47341
    P
    libevent-2_0-5-2.0.21-4.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48339
    P
    wpa_supplicant-2.6-15.10.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48179
    P
    libpulse-mainloop-glib0-32bit-5.0-4.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47324
    P
    libXv1-1.0.10-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47559
    P
    audiofile-0.3.6-10.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47355
    P
    libicu-doc-52.1-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47478
    P
    python-PyYAML-3.12-25.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47472
    P
    policycoreutils-2.5-9.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47691
    P
    libapr-util1-1.5.3-2.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47476
    P
    procmail-3.22-267.12 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47479
    P
    python-cupshelpers-1.5.7-7.5 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47686
    P
    libXv1-1.0.10-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47783
    P
    libsndfile1-1.0.25-36.16.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47669
    P
    libSoundTouch0-1.7.1-5.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47493
    P
    rrdtool-1.4.7-20.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47770
    P
    libproxy1-0.4.13-16.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47931
    P
    yast2-core-3.3.1-1.7 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47801
    P
    libusbmuxd4-1.0.10-2.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47614
    P
    gd-2.1.0-24.9.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47832
    P
    ntp-4.2.8p12-64.8.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47230
    P
    ctags-5.8-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48145
    P
    liblua5_2-32bit-5.2.4-6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47893
    P
    strongswan-5.1.3-26.5.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47807
    P
    libvorbis-doc-1.3.3-10.14.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:46907
    P
    colord-gtk-lang-0.1.26-6.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47897
    P
    sysconfig-0.84.0-13.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:62826
    P
    python3-bottle-0.12.13-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101232
    P
    python3-bottle-0.12.13-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72545
    P
    python3-bottle-0.12.13-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100811
    P
    cryptsetup-2.3.4-1.34 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:68033
    P
    Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP1) (Important)
    2021-07-29
    oval:org.opensuse.security:def:61339
    P
    python2-bottle-0.12.13-1.26 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48706
    P
    telepathy-gabble-0.18.1-3.268 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48691
    P
    libqt4-sql-mysql-32bit-4.8.6-2.6 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48637
    P
    tomcat-8.0.36-11.4 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48387
    P
    coreutils-8.25-12.8 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48401
    P
    dbus-1-glib-0.100.2-3.58 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48393
    P
    cups-1.7.5-12.4 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48458
    P
    libIlmImf-Imf_2_1-21-2.1.0-4.3 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48466
    P
    libXfixes3-5.0.1-3.52 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48477
    P
    libXvnc1-1.6.0-12.6 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46771
    P
    libsnmp30-32bit-5.7.3-4.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:71080
    P
    python2-bottle-0.12.13-1.26 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48497
    P
    libgoa-1_0-0-3.20.4-7.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48539
    P
    libpoppler44-0.24.4-12.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46772
    P
    libsoup-2_4-1-2.44.2-1.46 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48568
    P
    libvte9-0.28.2-19.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48604
    P
    python-2.7.9-24.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46786
    P
    libxerces-c-3_1-3.1.1-4.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48635
    P
    tcpdump-4.5.1-10.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:64686
    P
    Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:64606
    P
    Security update for python (Important)
    2021-02-09
    oval:org.opensuse.security:def:64519
    P
    Security update for wavpack (Moderate)
    2021-01-21
    oval:org.opensuse.security:def:66778
    P
    Security update for dnsmasq (Important)
    2021-01-19
    oval:org.opensuse.security:def:67933
    P
    Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP1) (Important)
    2020-12-07
    oval:org.opensuse.security:def:117035
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:72319
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107477
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62490
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:89950
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:72435
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62600
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:94098
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62716
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:72209
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:103605
    P
    python3-bottle-0.12.13-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:70134
    P
    python3-bottle on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49712
    P
    python3-bottle on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49658
    P
    libcairo2-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:66686
    P
    Security update for xorg-x11-server (Important)
    2020-12-01
    oval:org.opensuse.security:def:49919
    P
    python2-bottle on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49865
    P
    rpm-build on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:67953
    P
    python3-bottle on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49486
    P
    python3-bottle on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:67853
    P
    ImageMagick on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49432
    P
    libcups2-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49596
    P
    python3-bottle on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49542
    P
    libavcodec57 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73351
    P
    yast2-security on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73469
    P
    python3-bottle on GA media (Moderate)
    2020-12-01
    oval:org.cisecurity:def:1661
    P
    DSA-3743-1 -- python-bottle -- security update
    2017-01-27
    oval:com.ubuntu.trusty:def:20169964000
    V
    CVE-2016-9964 on Ubuntu 14.04 LTS (trusty) - medium.
    2016-12-18
    oval:com.ubuntu.xenial:def:20169964000
    V
    CVE-2016-9964 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-12-18
    oval:com.ubuntu.precise:def:20169964000
    V
    CVE-2016-9964 on Ubuntu 12.04 LTS (precise) - medium.
    2016-12-18
    oval:com.ubuntu.artful:def:20169964000
    V
    CVE-2016-9964 on Ubuntu 17.10 (artful) - medium.
    2016-12-16
    oval:com.ubuntu.disco:def:201699640000000
    V
    CVE-2016-9964 on Ubuntu 19.04 (disco) - medium.
    2016-12-16
    oval:com.ubuntu.cosmic:def:201699640000000
    V
    CVE-2016-9964 on Ubuntu 18.10 (cosmic) - medium.
    2016-12-16
    oval:com.ubuntu.bionic:def:20169964000
    V
    CVE-2016-9964 on Ubuntu 18.04 LTS (bionic) - medium.
    2016-12-16
    oval:com.ubuntu.bionic:def:201699640000000
    V
    CVE-2016-9964 on Ubuntu 18.04 LTS (bionic) - medium.
    2016-12-16
    oval:com.ubuntu.cosmic:def:20169964000
    V
    CVE-2016-9964 on Ubuntu 18.10 (cosmic) - medium.
    2016-12-16
    oval:com.ubuntu.xenial:def:201699640000000
    V
    CVE-2016-9964 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-12-16
    BACK
    bottlepy bottle 0.12.10
    debian debian linux 8.0
    bottlepy bottle 0.12.10