Medium severity6.5NVD Advisory· Published Dec 16, 2016· Updated Jun 17, 2026
CVE-2016-9964
CVE-2016-9964
Description
redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bottlePyPI | >= 0.10.1, < 0.12.11 | 0.12.11 |
Affected products
3Patches
Vulnerability mechanics
References
9- github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54nvdIssue TrackingPatchThird Party AdvisoryWEB
- github.com/bottlepy/bottle/issues/913nvdIssue TrackingPatchThird Party AdvisoryWEB
- www.debian.org/security/2016/dsa-3743nvdThird Party AdvisoryWEB
- www.securityfocus.com/bid/94961nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-j6f7-hghw-g437ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-9964ghsaADVISORY
- github.com/bottlepy/bottle/commit/78f67d51965db11cb1ed0003f1eb7926458b5c2cghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2016-24.yamlghsaWEB
- web.archive.org/web/20170214030628/http://www.securityfocus.com/bid/94961ghsaWEB
News mentions
0No linked articles in our index yet.