CVE-2012-2374 — Improper Input Validation in Tornado

CWE-20 — Improper Input Validation6 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.3%

top 44.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tornadoweb Tornado Debian Python-tornado

Timeline

PublishedMay 23

Latest updateMay 17

Description

CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶PyPItornadoweb/tornado< 2.2.1

▶debiandebian/python-tornado< python-tornado 2.1.0-3 (bookworm)

▶NVDtornadoweb/tornado2.2+9

🔴Vulnerability Details

OSV

Tornado CRLF injection vulnerability↗2022-05-17

▶

GHSA

Tornado CRLF injection vulnerability↗2022-05-17

▶

OSV

CVE-2012-2374: CRLF injection vulnerability in the tornado↗2012-05-23

▶

📋Vendor Advisories

Debian

CVE-2012-2374: python-tornado - CRLF injection vulnerability in the tornado.web.RequestHandler.set_header functi...↗2012

▶

💬Community

Bugzilla

CVE-2012-2374 python-tornado: Tornado v2.2.1 tornado.web.RequestHandler.set_header() fix to prevent header injection↗2012-05-18

▶