7.5
CVE-2024-52804
- EPSS 1.05%
- Veröffentlicht 22.11.2024 16:15:34
- Zuletzt bearbeitet 03.11.2025 23:17:15
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Tornado has HTTP cookie parsing DoS vulnerability
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tornadoweb ≫ Tornado Version < 6.4.2
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.05% | 0.599 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-400 Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://github.com/advisories/GHSA-7pwv-g7hj-39pr
https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html