CVE-2023-28370
Open redirect vulnerability vulnerability in tornado (PyPI)
What is CVE-2023-28370 About?
This vulnerability in Tornado versions 6.3.1 and earlier allows for open redirection. A remote unauthenticated attacker can redirect a user to an arbitrary web site and conduct phishing attacks. Exploitation is relatively simple, requiring users to click on a specially crafted URL.
Affected Software
Technical Details
The vulnerability is an Open Redirect, typically found when a web application accepts a URL as a parameter and redirects the user to that URL without proper validation. In Tornado, versions 6.3.1 and earlier, such a mechanism exists where an attacker can supply a specially crafted URL endpoint. When a user accesses this URL, the Tornado application's logic, intended for legitimate redirection purposes, will accept the attacker-controlled destination and issue an HTTP redirect to it. This can lead to users landing on malicious phishing sites.
What is the Impact of CVE-2023-28370?
Successful exploitation may allow attackers to redirect users to malicious websites, facilitating phishing campaigns, malware delivery, or credential theft.
What is the Exploitability of CVE-2023-28370?
Exploitation involves crafting a URL with a malicious redirect parameter. The complexity is low. No authentication is required, and no special privileges are needed as the vulnerability targets unauthenticated redirection functions. The attack is remote and requires user interaction, typically by luring a user to click on a poisoned link. The primary risk factor is the public exposure of the Tornado application and the effectiveness of social engineering to trick users into clicking the link.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28370?
Available Upgrade Options
- tornado
- <6.3.2 → Upgrade to 6.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2023-75
- https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
- https://github.com/tornadoweb/tornado/releases/tag/v6.3.2
- https://jvn.jp/en/jp/JVN45127776/
- https://github.com/tornadoweb/tornado
- https://nvd.nist.gov/vuln/detail/CVE-2023-28370
- https://jvn.jp/en/jp/JVN45127776
- https://github.com/tornadoweb/tornado/releases/tag/v6.3.2
- https://jvn.jp/en/jp/JVN45127776/
- https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml
What are Similar Vulnerabilities to CVE-2023-28370?
Similar Vulnerabilities: CVE-2023-41080 , CVE-2023-39968 , CVE-2022-23307 , CVE-2020-15509 , CVE-2019-17558
