Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/tornado@2.1.1
Typepypi
Namespace
Nametornado
Version2.1.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.5.5
Latest_non_vulnerable_version6.5.5
Affected_by_vulnerabilities
0
url VCID-96r3-89by-dyer
vulnerability_id VCID-96r3-89by-dyer
summary Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
references
0
reference_url https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
1
reference_url https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html
fixed_packages
0
url pkg:pypi/tornado@6.5.5
purl pkg:pypi/tornado@6.5.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5
aliases CVE-2026-31958, GHSA-qjxf-f2mg-c6mc, PYSEC-2026-140
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-96r3-89by-dyer
1
url VCID-a4ry-gnvn-e3a1
vulnerability_id VCID-a4ry-gnvn-e3a1
summary Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
references
0
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml
1
reference_url https://github.com/tornadoweb/tornado
reference_id
reference_type
scores
url https://github.com/tornadoweb/tornado
2
reference_url https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
reference_id
reference_type
scores
url https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
3
reference_url https://github.com/tornadoweb/tornado/releases/tag/v6.3.2
reference_id
reference_type
scores
url https://github.com/tornadoweb/tornado/releases/tag/v6.3.2
4
reference_url https://jvn.jp/en/jp/JVN45127776
reference_id
reference_type
scores
url https://jvn.jp/en/jp/JVN45127776
5
reference_url https://jvn.jp/en/jp/JVN45127776/
reference_id
reference_type
scores
url https://jvn.jp/en/jp/JVN45127776/
6
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28370
reference_id CVE-2023-28370
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-28370
8
reference_url https://github.com/advisories/GHSA-hj3f-6gcp-jg8j
reference_id GHSA-hj3f-6gcp-jg8j
reference_type
scores
url https://github.com/advisories/GHSA-hj3f-6gcp-jg8j
fixed_packages
0
url pkg:pypi/tornado@6.3.2
purl pkg:pypi/tornado@6.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-96r3-89by-dyer
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.3.2
aliases CVE-2023-28370, GHSA-hj3f-6gcp-jg8j, PYSEC-2023-75
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a4ry-gnvn-e3a1
2
url VCID-gbeg-1cjj-fufw
vulnerability_id VCID-gbeg-1cjj-fufw
summary Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
references
0
reference_url http://openwall.com/lists/oss-security/2015/05/19/4
reference_id
reference_type
scores
url http://openwall.com/lists/oss-security/2015/05/19/4
1
reference_url https://bugzilla.novell.com/show_bug.cgi?id=930362
reference_id
reference_type
scores
url https://bugzilla.novell.com/show_bug.cgi?id=930362
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1222816
reference_id
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1222816
3
reference_url https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308
reference_id
reference_type
scores
url https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308
4
reference_url http://www.tornadoweb.org/en/stable/releases/v3.2.2.html
reference_id
reference_type
scores
url http://www.tornadoweb.org/en/stable/releases/v3.2.2.html
fixed_packages
0
url pkg:pypi/tornado@3.2.2
purl pkg:pypi/tornado@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-96r3-89by-dyer
1
vulnerability VCID-a4ry-gnvn-e3a1
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@3.2.2
aliases CVE-2014-9720, PYSEC-2020-213
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gbeg-1cjj-fufw
3
url VCID-sxra-vqmr-fybt
vulnerability_id VCID-sxra-vqmr-fybt
summary CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.
references
0
reference_url http://openwall.com/lists/oss-security/2012/05/18/12
reference_id
reference_type
scores
url http://openwall.com/lists/oss-security/2012/05/18/12
1
reference_url http://secunia.com/advisories/49185
reference_id
reference_type
scores
url http://secunia.com/advisories/49185
2
reference_url http://www.openwall.com/lists/oss-security/2012/05/18/6
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2012/05/18/6
3
reference_url http://www.securityfocus.com/bid/53612
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/53612
4
reference_url http://www.tornadoweb.org/documentation/releases/v2.2.1.html
reference_id
reference_type
scores
url http://www.tornadoweb.org/documentation/releases/v2.2.1.html
fixed_packages
0
url pkg:pypi/tornado@2.2.1
purl pkg:pypi/tornado@2.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-96r3-89by-dyer
1
vulnerability VCID-a4ry-gnvn-e3a1
2
vulnerability VCID-gbeg-1cjj-fufw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@2.2.1
aliases CVE-2012-2374, PYSEC-2012-5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sxra-vqmr-fybt
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/tornado@2.1.1