Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/tornado@4.4.2

Type pypi

Namespace

Name tornado

Version 4.4.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 6.5.5

Latest_non_vulnerable_version 6.5.5

Affected_by_vulnerabilities

url VCID-bgqs-ey1s-5fhn

vulnerability_id VCID-bgqs-ey1s-5fhn

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-52804

reference_id

reference_type

scores

value	0.0016
scoring_system	epss
scoring_elements	0.3675
published_at	2026-06-11T12:55:00Z

value	0.0016
scoring_system	epss
scoring_elements	0.36929
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-52804

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-52804

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-52804

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112
reference_id	1088112
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2328045
reference_id	2328045
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2328045

reference_url

https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533

reference_id

d5ba4a1695fbf7c6a3e54313262639b198291533

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/

url

https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533

reference_url

https://github.com/advisories/GHSA-7pwv-g7hj-39pr

reference_id

GHSA-7pwv-g7hj-39pr

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/

url

https://github.com/advisories/GHSA-7pwv-g7hj-39pr

reference_url	https://github.com/advisories/GHSA-8w49-h785-mj3c
reference_id	GHSA-8w49-h785-mj3c
reference_type
scores
url	https://github.com/advisories/GHSA-8w49-h785-mj3c

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c

reference_id

GHSA-8w49-h785-mj3c

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c

reference_url	https://access.redhat.com/errata/RHSA-2024:10590
reference_id	RHSA-2024:10590
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10590

reference_url	https://access.redhat.com/errata/RHSA-2024:10836
reference_id	RHSA-2024:10836
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10836

reference_url	https://access.redhat.com/errata/RHSA-2024:10843
reference_id	RHSA-2024:10843
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10843

reference_url	https://access.redhat.com/errata/RHSA-2025:2470
reference_id	RHSA-2025:2470
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:2470

reference_url	https://access.redhat.com/errata/RHSA-2025:2471
reference_id	RHSA-2025:2471
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:2471

reference_url	https://access.redhat.com/errata/RHSA-2025:2550
reference_id	RHSA-2025:2550
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:2550

reference_url	https://access.redhat.com/errata/RHSA-2025:2872
reference_id	RHSA-2025:2872
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:2872

reference_url	https://access.redhat.com/errata/RHSA-2025:2955
reference_id	RHSA-2025:2955
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:2955

reference_url	https://access.redhat.com/errata/RHSA-2025:2956
reference_id	RHSA-2025:2956
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:2956

reference_url	https://access.redhat.com/errata/RHSA-2025:3108
reference_id	RHSA-2025:3108
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:3108

reference_url	https://access.redhat.com/errata/RHSA-2025:3109
reference_id	RHSA-2025:3109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:3109

reference_url	https://usn.ubuntu.com/7150-1/
reference_id	USN-7150-1
reference_type
scores
url	https://usn.ubuntu.com/7150-1/

fixed_packages

url pkg:pypi/tornado@6.4.2

purl pkg:pypi/tornado@6.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-f1ya-qesa-47eb

vulnerability	VCID-hewd-eun7-q7ab

vulnerability	VCID-jb5p-19p9-t7du

vulnerability	VCID-wjm5-ngw7-qbhd

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.2

aliases CVE-2024-52804, GHSA-8w49-h785-mj3c

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bgqs-ey1s-5fhn

url VCID-cqf7-yfwd-nfdy

vulnerability_id VCID-cqf7-yfwd-nfdy

summary

Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths
## Summary
Tornado interprets `-`, `+`, and `_` in chunk length and `Content-Length` values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.

## Details
Tornado uses the `int` constructor to parse the values of `Content-Length` headers and chunk lengths in the following locations:
### `tornado/http1connection.py:445`
```python3
            self._expected_content_remaining = int(headers["Content-Length"])
```
### `tornado/http1connection.py:621`
```python3
                content_length = int(headers["Content-Length"])  # type: Optional[int]
```
### `tornado/http1connection.py:671`
```python3
            chunk_len = int(chunk_len_str.strip(), 16)
```
Because `int("0_0") == int("+0") == int("-0") == int("0")`, using the `int` constructor to parse and validate strings that should contain only ASCII digits is not a good strategy.

references

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx

reference_url

https://github.com/advisories/GHSA-qppv-j76h-2rpx

reference_id

GHSA-qppv-j76h-2rpx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qppv-j76h-2rpx

fixed_packages

url pkg:pypi/tornado@6.3.3

purl pkg:pypi/tornado@6.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bgqs-ey1s-5fhn

vulnerability	VCID-f1ya-qesa-47eb

vulnerability	VCID-hewd-eun7-q7ab

vulnerability	VCID-jb5p-19p9-t7du

vulnerability	VCID-mpc3-phwa-47az

vulnerability	VCID-wjm5-ngw7-qbhd

vulnerability	VCID-zhjq-qmgr-qkd7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.3.3

aliases GHSA-qppv-j76h-2rpx, GMS-2023-1908

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cqf7-yfwd-nfdy

url VCID-f1ya-qesa-47eb

vulnerability_id VCID-f1ya-qesa-47eb

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35536.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35536.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-35536

reference_id

reference_type

scores

value	0.00019
scoring_system	epss
scoring_elements	0.05255
published_at	2026-06-11T12:55:00Z

value	0.00019
scoring_system	epss
scoring_elements	0.0527
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-35536

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35536
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35536

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-35536

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-35536

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132367
reference_id	1132367
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132367

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454716
reference_id	2454716
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454716

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

reference_id

GHSA-78cv-mqj4-43f7

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:12:08Z/

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

reference_url

https://github.com/advisories/GHSA-fqwm-6jpj-5wxc

reference_id

GHSA-fqwm-6jpj-5wxc

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fqwm-6jpj-5wxc

reference_url	https://access.redhat.com/errata/RHSA-2026:13641
reference_id	RHSA-2026:13641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13641

reference_url	https://access.redhat.com/errata/RHSA-2026:13670
reference_id	RHSA-2026:13670
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13670

reference_url	https://access.redhat.com/errata/RHSA-2026:19034
reference_id	RHSA-2026:19034
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19034

reference_url	https://access.redhat.com/errata/RHSA-2026:19189
reference_id	RHSA-2026:19189
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19189

reference_url	https://access.redhat.com/errata/RHSA-2026:20572
reference_id	RHSA-2026:20572
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20572

reference_url	https://access.redhat.com/errata/RHSA-2026:20573
reference_id	RHSA-2026:20573
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20573

reference_url	https://access.redhat.com/errata/RHSA-2026:20577
reference_id	RHSA-2026:20577
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20577

reference_url	https://access.redhat.com/errata/RHSA-2026:20810
reference_id	RHSA-2026:20810
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20810

reference_url	https://access.redhat.com/errata/RHSA-2026:24342
reference_id	RHSA-2026:24342
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:24342

reference_url	https://usn.ubuntu.com/8198-1/
reference_id	USN-8198-1
reference_type
scores
url	https://usn.ubuntu.com/8198-1/

reference_url	https://usn.ubuntu.com/8198-2/
reference_id	USN-8198-2
reference_type
scores
url	https://usn.ubuntu.com/8198-2/

reference_url

https://github.com/tornadoweb/tornado/releases/tag/v6.5.5

reference_id

v6.5.5

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:12:08Z/

url

https://github.com/tornadoweb/tornado/releases/tag/v6.5.5

fixed_packages

url	pkg:pypi/tornado@6.5.5
purl	pkg:pypi/tornado@6.5.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5

aliases CVE-2026-35536, GHSA-fqwm-6jpj-5wxc

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f1ya-qesa-47eb

url VCID-hewd-eun7-q7ab

vulnerability_id VCID-hewd-eun7-q7ab

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-47287

reference_id

reference_type

scores

value	0.01164
scoring_system	epss
scoring_elements	0.7903
published_at	2026-06-11T12:55:00Z

value	0.01164
scoring_system	epss
scoring_elements	0.79096
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-47287

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-47287

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-47287

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886
reference_id	1105886
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2366703
reference_id	2366703
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2366703

reference_url

https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3

reference_id

b39b892bf78fe8fea01dd45199aa88307e7162f3

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/

url

https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3

reference_url	https://github.com/advisories/GHSA-7cx3-6m66-7c5m
reference_id	GHSA-7cx3-6m66-7c5m
reference_type
scores
url	https://github.com/advisories/GHSA-7cx3-6m66-7c5m

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m

reference_id

GHSA-7cx3-6m66-7c5m

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m

reference_url	https://access.redhat.com/errata/RHSA-2025:8135
reference_id	RHSA-2025:8135
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8135

reference_url	https://access.redhat.com/errata/RHSA-2025:8136
reference_id	RHSA-2025:8136
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8136

reference_url	https://access.redhat.com/errata/RHSA-2025:8223
reference_id	RHSA-2025:8223
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8223

reference_url	https://access.redhat.com/errata/RHSA-2025:8226
reference_id	RHSA-2025:8226
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8226

reference_url	https://access.redhat.com/errata/RHSA-2025:8254
reference_id	RHSA-2025:8254
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8254

reference_url	https://access.redhat.com/errata/RHSA-2025:8279
reference_id	RHSA-2025:8279
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8279

reference_url	https://access.redhat.com/errata/RHSA-2025:8290
reference_id	RHSA-2025:8290
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8290

reference_url	https://access.redhat.com/errata/RHSA-2025:8291
reference_id	RHSA-2025:8291
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8291

reference_url	https://access.redhat.com/errata/RHSA-2025:8323
reference_id	RHSA-2025:8323
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8323

reference_url	https://access.redhat.com/errata/RHSA-2025:8664
reference_id	RHSA-2025:8664
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8664

reference_url	https://usn.ubuntu.com/7547-1/
reference_id	USN-7547-1
reference_type
scores
url	https://usn.ubuntu.com/7547-1/

fixed_packages

url pkg:pypi/tornado@6.5

purl pkg:pypi/tornado@6.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-f1ya-qesa-47eb

vulnerability	VCID-jb5p-19p9-t7du

vulnerability	VCID-wjm5-ngw7-qbhd

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5

aliases CVE-2025-47287, GHSA-7cx3-6m66-7c5m

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hewd-eun7-q7ab

url VCID-jb5p-19p9-t7du

vulnerability_id VCID-jb5p-19p9-t7du

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31958.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31958.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-31958

reference_id

reference_type

scores

value	0.00028
scoring_system	epss
scoring_elements	0.08467
published_at	2026-06-11T12:55:00Z

value	0.00028
scoring_system	epss
scoring_elements	0.08506
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-31958

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31958
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31958

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2026-140.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2026-140.yaml

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839

reference_url

https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-31958

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-31958

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130507
reference_id	1130507
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130507

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2446765
reference_id	2446765
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2446765

reference_url

https://github.com/advisories/GHSA-qjxf-f2mg-c6mc

reference_id

GHSA-qjxf-f2mg-c6mc

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qjxf-f2mg-c6mc

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc

reference_id

GHSA-qjxf-f2mg-c6mc

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:55:43Z/

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc

reference_url	https://access.redhat.com/errata/RHSA-2026:10184
reference_id	RHSA-2026:10184
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10184

reference_url	https://access.redhat.com/errata/RHSA-2026:11454
reference_id	RHSA-2026:11454
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11454

reference_url	https://access.redhat.com/errata/RHSA-2026:11493
reference_id	RHSA-2026:11493
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11493

reference_url	https://access.redhat.com/errata/RHSA-2026:11494
reference_id	RHSA-2026:11494
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11494

reference_url	https://access.redhat.com/errata/RHSA-2026:11495
reference_id	RHSA-2026:11495
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11495

reference_url	https://access.redhat.com/errata/RHSA-2026:13641
reference_id	RHSA-2026:13641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13641

reference_url	https://access.redhat.com/errata/RHSA-2026:13670
reference_id	RHSA-2026:13670
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13670

reference_url	https://access.redhat.com/errata/RHSA-2026:19034
reference_id	RHSA-2026:19034
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19034

reference_url	https://access.redhat.com/errata/RHSA-2026:19189
reference_id	RHSA-2026:19189
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19189

reference_url	https://access.redhat.com/errata/RHSA-2026:20572
reference_id	RHSA-2026:20572
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20572

reference_url	https://access.redhat.com/errata/RHSA-2026:20573
reference_id	RHSA-2026:20573
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20573

reference_url	https://access.redhat.com/errata/RHSA-2026:20577
reference_id	RHSA-2026:20577
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20577

reference_url	https://access.redhat.com/errata/RHSA-2026:20810
reference_id	RHSA-2026:20810
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20810

reference_url	https://access.redhat.com/errata/RHSA-2026:24342
reference_id	RHSA-2026:24342
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:24342

reference_url	https://access.redhat.com/errata/RHSA-2026:24977
reference_id	RHSA-2026:24977
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:24977

reference_url	https://access.redhat.com/errata/RHSA-2026:8093
reference_id	RHSA-2026:8093
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8093

reference_url	https://usn.ubuntu.com/8198-1/
reference_id	USN-8198-1
reference_type
scores
url	https://usn.ubuntu.com/8198-1/

reference_url	https://usn.ubuntu.com/8198-2/
reference_id	USN-8198-2
reference_type
scores
url	https://usn.ubuntu.com/8198-2/

fixed_packages

url	pkg:pypi/tornado@6.5.5
purl	pkg:pypi/tornado@6.5.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5

aliases CVE-2026-31958, GHSA-qjxf-f2mg-c6mc, PYSEC-2026-140

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jb5p-19p9-t7du

url VCID-mpc3-phwa-47az

vulnerability_id VCID-mpc3-phwa-47az

summary Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado

references

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572

reference_url

https://github.com/advisories/GHSA-753j-mpmx-qq6g

reference_id

GHSA-753j-mpmx-qq6g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-753j-mpmx-qq6g

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g

reference_id

GHSA-753j-mpmx-qq6g

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g

fixed_packages

url pkg:pypi/tornado@6.4.1

purl pkg:pypi/tornado@6.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bgqs-ey1s-5fhn

vulnerability	VCID-f1ya-qesa-47eb

vulnerability	VCID-hewd-eun7-q7ab

vulnerability	VCID-jb5p-19p9-t7du

vulnerability	VCID-wjm5-ngw7-qbhd

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.1

aliases GHSA-753j-mpmx-qq6g

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mpc3-phwa-47az

url VCID-sgsh-jsn8-xygx

vulnerability_id VCID-sgsh-jsn8-xygx

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28370.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28370.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-28370

reference_id

reference_type

scores

value	0.0043
scoring_system	epss
scoring_elements	0.62991
published_at	2026-06-11T12:55:00Z

value	0.005
scoring_system	epss
scoring_elements	0.66494
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-28370

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-hj3f-6gcp-jg8j

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hj3f-6gcp-jg8j

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f

reference_url

https://jvn.jp/en/jp/JVN45127776

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://jvn.jp/en/jp/JVN45127776

reference_url

https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-28370

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-28370

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036875
reference_id	1036875
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036875

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2210199
reference_id	2210199
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2210199

reference_url

https://jvn.jp/en/jp/JVN45127776/

reference_id

JVN45127776

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-16T15:19:04Z/

url

https://jvn.jp/en/jp/JVN45127776/

reference_url	https://access.redhat.com/errata/RHSA-2023:6523
reference_id	RHSA-2023:6523
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6523

reference_url	https://usn.ubuntu.com/6159-1/
reference_id	USN-6159-1
reference_type
scores
url	https://usn.ubuntu.com/6159-1/

reference_url	https://usn.ubuntu.com/7150-1/
reference_id	USN-7150-1
reference_type
scores
url	https://usn.ubuntu.com/7150-1/

reference_url

https://github.com/tornadoweb/tornado/releases/tag/v6.3.2

reference_id

v6.3.2

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-16T15:19:04Z/

url

https://github.com/tornadoweb/tornado/releases/tag/v6.3.2

fixed_packages

url pkg:pypi/tornado@6.3.2

purl pkg:pypi/tornado@6.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bgqs-ey1s-5fhn

vulnerability	VCID-cqf7-yfwd-nfdy

vulnerability	VCID-f1ya-qesa-47eb

vulnerability	VCID-hewd-eun7-q7ab

vulnerability	VCID-jb5p-19p9-t7du

vulnerability	VCID-mpc3-phwa-47az

vulnerability	VCID-wjm5-ngw7-qbhd

vulnerability	VCID-zhjq-qmgr-qkd7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.3.2

aliases CVE-2023-28370, GHSA-hj3f-6gcp-jg8j, PYSEC-2023-75

risk_score 3.4

exploitability 0.5

weighted_severity 6.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sgsh-jsn8-xygx

url VCID-wjm5-ngw7-qbhd

vulnerability_id VCID-wjm5-ngw7-qbhd

summary Tornado has incomplete validation of cookie attributes

references

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104

reference_url

https://github.com/advisories/GHSA-78cv-mqj4-43f7

reference_id

GHSA-78cv-mqj4-43f7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-78cv-mqj4-43f7

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

reference_id

GHSA-78cv-mqj4-43f7

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

fixed_packages

url	pkg:pypi/tornado@6.5.5
purl	pkg:pypi/tornado@6.5.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5

aliases GHSA-78cv-mqj4-43f7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wjm5-ngw7-qbhd

url VCID-zhjq-qmgr-qkd7

vulnerability_id VCID-zhjq-qmgr-qkd7

summary Tornado has a CRLF injection in CurlAsyncHTTPClient headers

references

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669

reference_url

https://github.com/advisories/GHSA-w235-7p84-xx57

reference_id

GHSA-w235-7p84-xx57

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-w235-7p84-xx57

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57

reference_id

GHSA-w235-7p84-xx57

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57

fixed_packages

url pkg:pypi/tornado@6.4.1

purl pkg:pypi/tornado@6.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bgqs-ey1s-5fhn

vulnerability	VCID-f1ya-qesa-47eb

vulnerability	VCID-hewd-eun7-q7ab

vulnerability	VCID-jb5p-19p9-t7du

vulnerability	VCID-wjm5-ngw7-qbhd

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.1

aliases GHSA-w235-7p84-xx57

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zhjq-qmgr-qkd7

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@4.4.2

Package Instance