CVE-2014-9720 — Observable Discrepancy in Tornado

CWE-203 — Observable Discrepancy CWE-201 — Sensitive Info Insertion into Sent Data7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.9%

top 24.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tornadoweb Tornado Debian Python-tornado

Timeline

PublishedJan 24

Latest updateMay 17

Description

Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDtornadoweb/tornado< 3.2.2

▶PyPItornadoweb/tornado< 3.2.2

▶debiandebian/python-tornado< python-tornado 3.2.2-1 (bookworm)

Patches

Patch: openwall.com ↗Patch: bugzilla.novell.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)↗2022-05-17

▶

OSV

Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)↗2022-05-17

▶

OSV

CVE-2014-9720: Tornado before 3↗2020-01-24

▶

📋Vendor Advisories

Red Hat

python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH)↗2014-05-26

▶

Debian

CVE-2014-9720: python-tornado - Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token a...↗2014

▶

💬Community

Bugzilla

CVE-2014-9720 python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH)↗2015-05-19

▶