Filtered by vendor Tornadoweb Subscriptions
Total 4 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-52804 2 Redhat, Tornadoweb 3 Enterprise Linux, Rhel Eus, Tornado 2024-11-25 7.5 High
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
CVE-2023-28370 2 Redhat, Tornadoweb 2 Enterprise Linux, Tornado 2024-11-21 6.1 Medium
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
CVE-2014-9720 1 Tornadoweb 1 Tornado 2024-11-21 6.5 Medium
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
CVE-2012-2374 1 Tornadoweb 1 Tornado 2024-11-21 N/A
CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.