Bug 1093255 (CVE-2014-3137)

Summary: CVE-2014-3137 python-bottle: JSON content-type not restrictive enough
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, metherid
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:32:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1093257    
Bug Blocks:    

Description Murray McAllister 2014-05-01 04:26:09 UTC 
It was reported that the JSON content-type was not restrictive enough. Bottle treated "text/plain;application/json" as JSON, allowing attackers to bypass intended security mechanisms. From the upstream report, "For example Chrome will not allow cross-origin xmlhttprequests with the content type set to "application/json" but you can set it to "text/plain;application/json" instead and bottle will accept it.".

Upstream report: https://github.com/defnull/bottle/issues/616

Patches for master, 0.11, and 0.12, respectively:

https://github.com/defnull/bottle/commit/7c3226867d9005903e268fedd819389ab8c6336d
https://github.com/defnull/bottle/commit/a3c7b6eba63f41968c78ea61a2dd1bf334cff4b0
https://github.com/defnull/bottle/commit/2589f5a808da9d0c2d153c379557e1a090acdf04
Comment 1 Murray McAllister 2014-05-01 04:28:00 UTC 
Created python-bottle tracking bugs for this issue:

Affects: fedora-all [bug 1093257]
Comment 2 Murray McAllister 2014-05-01 04:34:47 UTC 
CVE request: http://www.openwall.com/lists/oss-security/2014/05/01/10
Comment 3 Murray McAllister 2014-05-02 02:26:09 UTC 
MITRE assigned CVE-2014-3137 to this issue:

http://www.openwall.com/lists/oss-security/2014/05/01/15
Comment 4 Fedora Update System 2014-08-15 02:30:49 UTC 
python-bottle-0.12.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-08-15 02:50:14 UTC 
python-bottle-0.12.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Product Security DevOps Team 2019-06-08 02:32:47 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.