7 matches found
MGASA-2026-0216 Updated python-tornado packages fix security vulnerabilities
Tornado has a DoS due to too many multipart parts. CVE-2026-31958 In Tornado, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters. CVE-2026-35536...
CVE-2026-22740
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsupported versions are...
EUVD-2026-26205
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsupported versions are...
CVE-2026-31958 Tornado has a DoS due to too many multipart parts
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...
amavisd-new -- multipart boundary confusion
The Amavis project reports: Emails which consist of multiple parts Content-Type: multipart/ incorporate boundary information stating at which point one part ends and the next part begins. A boundary is announced by an Content-Type header's boundary parameter. To our current knowledge, RFC2046 and...
OESA-2023-1237 golang security update
The Go Programming Language. Security Fixes: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can...
PYSEC-2023-58
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. ...