CVE-2023-28370Open Redirect in Tornado

CWE-601Open Redirect10 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
0.5%
top 32.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Tornadoweb TornadoDebian Python-tornadoMsrc Azl3 Python-tornado 6.3.3-11 ON Azure Linux 3.0
Timeline
PublishedMay 25
Latest updateDec 11

Description

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

NVDtornadoweb/tornado< 6.3.2
PyPItornadoweb/tornado< 6.3.2
debiandebian/python-tornado< python-tornado 6.2.0-3+deb12u1 (bookworm)
CVEListV5tornadoweb/tornadoversions 6.3.1 and earlier

🔴Vulnerability Details

4
OSV
python-tornado vulnerabilities2024-12-11
GHSA
Open redirect in Tornado2023-05-25
OSV
CVE-2023-28370: Open redirect vulnerability in Tornado versions 62023-05-25
OSV
Open redirect in Tornado2023-05-25

📋Vendor Advisories

5
Ubuntu
Tornado vulnerabilities2024-12-11
Ubuntu
Tornado vulnerability2023-06-13
Red Hat
python-tornado: open redirect vulnerability in StaticFileHandler under certain configurations2023-05-25
Microsoft
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user acce2023-05-09
Debian
CVE-2023-28370: python-tornado - Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remot...2023
CVE-2023-28370 — Open Redirect in Tornadoweb Tornado | cvebase