tornado 6.5b1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the tornado package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Excessive Iteration tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Excessive Iteration in the `_parseparam()` function. An attacker can cause the server to become unresponsive and consume excessive CPU resources by sending requests with a large number of maliciously crafted parameters in the `Content-Disposition` header. How to fix Excessive Iteration? Upgrade `tornado` to version 6.5.3 or higher.	[,6.5.3)
M HTTP Header Injection tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Header Injection via the `reason` argument in HTTP status handling. An attacker can inject arbitrary HTTP headers or execute malicious scripts in the browser by supplying crafted input to the `RequestHandler.set_status` or `tornado.web.HTTPError` parameters. ##Workaround This issue can be mitigated by controlling the usage of untrusted data for the `reason` argument. How to fix HTTP Header Injection? Upgrade `tornado` to version 6.5.3 or higher.	[,6.5.3)
H Inefficient Algorithmic Complexity tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the `HTTPHeaders.add` method. An attacker can cause the server's event loop to become unresponsive for an extended period by sending a single maliciously crafted HTTP request with repeated header names, leading to excessive string concatenation and high CPU usage. Note: This is only exploitable if the `max_header_size` configuration has been increased from its default value. How to fix Inefficient Algorithmic Complexity? Upgrade `tornado` to version 6.5.3 or higher.	[,6.5.3)
H Allocation of Resources Without Limits or Throttling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the `multipart/form-data` parser. An attacker can generate an extremely high volume of logs, leading to a denial of service by sending malformed multipart form data that triggers continuous error logging. Note: This is only exploitable if the logging subsystem is synchronous. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `tornado` to version 6.5 or higher.	[,6.5)

Vulnerability

Vulnerable Version

Excessive Iteration

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Excessive Iteration in the _parseparam() function. An attacker can cause the server to become unresponsive and consume excessive CPU resources by sending requests with a large number of maliciously crafted parameters in the Content-Disposition header.

How to fix Excessive Iteration?

Upgrade tornado to version 6.5.3 or higher.

[,6.5.3)

HTTP Header Injection

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Header Injection via the reason argument in HTTP status handling. An attacker can inject arbitrary HTTP headers or execute malicious scripts in the browser by supplying crafted input to the RequestHandler.set_status or tornado.web.HTTPError parameters.

##Workaround

This issue can be mitigated by controlling the usage of untrusted data for the reason argument.

How to fix HTTP Header Injection?

Upgrade tornado to version 6.5.3 or higher.

[,6.5.3)

Inefficient Algorithmic Complexity

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the HTTPHeaders.add method. An attacker can cause the server's event loop to become unresponsive for an extended period by sending a single maliciously crafted HTTP request with repeated header names, leading to excessive string concatenation and high CPU usage.

Note:

This is only exploitable if the max_header_size configuration has been increased from its default value.

How to fix Inefficient Algorithmic Complexity?

Upgrade tornado to version 6.5.3 or higher.

[,6.5.3)

Allocation of Resources Without Limits or Throttling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the multipart/form-data parser. An attacker can generate an extremely high volume of logs, leading to a denial of service by sending malformed multipart form data that triggers continuous error logging.

Note:

This is only exploitable if the logging subsystem is synchronous.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade tornado to version 6.5 or higher.

[,6.5)

tornado@6.5b1 vulnerabilities

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically