CVE-2024-52804

CVSS V2 None CVSS V3 None

Description

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

Overview

CVE ID
CVE-2024-52804

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-11-22T15:43:38.572Z

Last Modified Date
2024-11-22T15:43:38.572Z

Weakness Enumerations

CWE	URL
CWE-400	http://cwe.mitre.org/data/definitions/400.html
CWE-770	http://cwe.mitre.org/data/definitions/770.html

References

Reference URL	Reference Tags
https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c	x_refsource_CONFIRM
https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533	x_refsource_MISC
https://github.com/advisories/GHSA-7pwv-g7hj-39pr	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-52804
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804

History

Created	Old Value	New Value	Data Type	Notes
2024-11-23 14:12:47				Added to TrackCVE