CVE-2024-52804Uncontrolled Resource Consumption in Tornado

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or ThrottlingCWE-1333Regex Denial of ServiceCWE-833Deadlock9 documents6 sources
Severity
7.5HIGHNVD
OSV6.1
EPSS
0.1%
top 69.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Tornadoweb TornadoDebian Python-tornado
Timeline
PublishedNov 22
Latest updateDec 11

Description

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

debiandebian/python-tornado< python-tornado 6.2.0-3+deb12u1 (bookworm)
NVDtornadoweb/tornado< 6.4.2
PyPItornadoweb/tornado< 6.4.2

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
python-tornado vulnerabilities2024-12-11
OSV
CVE-2024-52804: Tornado is a Python web framework and asynchronous networking library2024-11-22
OSV
Tornado has an HTTP cookie parsing DoS vulnerability2024-11-22
GHSA
Tornado has an HTTP cookie parsing DoS vulnerability2024-11-22

📋Vendor Advisories

3
Ubuntu
Tornado vulnerabilities2024-12-11
Red Hat
python-tornado: Tornado has HTTP cookie parsing DoS vulnerability2024-11-22
Debian
CVE-2024-52804: python-tornado - Tornado is a Python web framework and asynchronous networking library. The algor...2024
CVE-2024-52804 — Uncontrolled Resource Consumption | cvebase