Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04dzQ5LWg3ODUtbWozY84ABBnk
Tornado has an HTTP cookie parsing DoS vulnerability
The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.
See also CVE-2024-7592 for a similar vulnerability in cpython.
Permalink: https://github.com/advisories/GHSA-8w49-h785-mj3cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04dzQ5LWg3ODUtbWozY84ABBnk
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 17 hours ago
Updated: about 15 hours ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-8w49-h785-mj3c, CVE-2024-52804
References:
- https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
- https://nvd.nist.gov/vuln/detail/CVE-2024-52804
- https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
- https://github.com/advisories/GHSA-8w49-h785-mj3c
Blast Radius: 37.9
Affected Packages
pypi:tornado
Dependent packages: 853Dependent repositories: 113,286
Downloads: 50,209,170 last month
Affected Version Ranges: <= 6.4.1
Fixed in: 6.4.2
All affected versions: 1.1.1, 1.2.1, 2.1.1, 2.2.1, 2.4.1, 3.0.1, 3.0.2, 3.1.1, 3.2.1, 3.2.2, 4.0.1, 4.0.2, 4.2.1, 4.4.1, 4.4.2, 4.4.3, 4.5.1, 4.5.2, 4.5.3, 5.0.1, 5.0.2, 5.1.1, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.3.1, 6.3.2, 6.3.3, 6.4.1
All unaffected versions: