Lucene search
GoogleOSV:GHSA-8VPW-MGPF-MPVVHistoryMay 17, 2022 - 7:57 p.m.
Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)
2022-05-1719:57:19
Google
osv.dev
4
tornado
xsrf
cookie
vulnerability
breach
attack
tls
side-channel
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
References
openwall.com/lists/oss-security/2015/05/19/4
www.tornadoweb.org/en/stable/releases/v3.2.2.html
bugzilla.novell.com/show_bug.cgi?id=930362
bugzilla.redhat.com/show_bug.cgi?id=1222816
github.com/tornadoweb/tornado
github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308
nvd.nist.gov/vuln/detail/CVE-2014-9720
Related
openvas
openvas
Mageia: Security Advisory (MGASA-2015-0251)
2022-01-28 00:00:00
Fedora Update for python-tornado FEDORA-2015-9143
2015-07-07 00:00:00
Debian: Security Advisory (DLA-475-1)
2023-03-08 00:00:00
cve
cve
CVE-2014-9720
2020-01-24 18:15:12
nessus
nessus
Debian DLA-475-1 : python-tornado security update
2016-05-16 00:00:00
SUSE SLED12 Security Update : python-tornado (SUSE-SU-2016:1195-1)
2016-05-04 00:00:00
RHEL 7 : python-tornado (Unpatched Vulnerability)
2024-06-03 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: python-tornado-3.2.2-1.fc21
2015-06-10 19:18:24
[SECURITY] Fedora 22 Update: python-tornado-3.2.2-1.fc22
2015-06-09 15:04:28
osv
osv
python-tornado - security update
2015-07-22 00:00:00
python-tornado - security update
2016-05-15 00:00:00
PYSEC-2020-213
2020-01-24 18:15:00
debian
debian
[SECURITY] [DLA 279-1] python-tornado security update
2015-07-22 12:52:54
[SECURITY] [DLA 475-1] python-tornado security update
2016-05-15 19:45:40
github
github
Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)
2022-05-17 19:57:19
nvd
nvd
CVE-2014-9720
2020-01-24 18:15:12
prion
prion
Cross site request forgery (csrf)
2020-01-24 18:15:00
cvelist
cvelist
CVE-2014-9720
2020-01-24 17:03:38
mageia
mageia
Updated python-tornado package fixes security vulnerability
2015-07-01 15:40:22
debiancve
debiancve
CVE-2014-9720
2020-01-24 18:15:12
ubuntucve
ubuntucve
CVE-2014-9720
2020-01-24 00:00:00