GHSA-78cv-mqj4-43f7
CRLF Injection vulnerability in tornado (PyPI)
What is GHSA-78cv-mqj4-43f7 About?
This vulnerability in Tornado affects versions prior to 6.5.5, allowing CRLF injection due to incomplete validation of `domain`, `path`, and `samesite` arguments in `RequestHandler.set_cookie`. An attacker can inject semicolons to add attacker-controlled cookie attributes. Exploitation requires the attacker to control input to these arguments.
Affected Software
Technical Details
In Tornado versions prior to 6.5.5, the RequestHandler.set_cookie method failed to adequately validate input provided to its domain, path, and samesite arguments. Specifically, the validation mechanism did not prevent the inclusion of semicolons (;). An attacker, by injecting a semicolon followed by arbitrary text into one of these arguments, could bypass the intended structure of the Set-Cookie header. This allows for the injection of additional, attacker-controlled cookie attributes (e.g., Domain=example.com;Secure;HttpOnly) into the HTTP response header, potentially overriding legitimate attributes or adding new malicious ones.
What is the Impact of GHSA-78cv-mqj4-43f7?
Successful exploitation may allow attackers to inject arbitrary cookie attributes, which can lead to session hijacking, cross-site scripting (XSS) via injected cookie values, or other client-side attacks.
What is the Exploitability of GHSA-78cv-mqj4-43f7?
Exploitation requires an attacker to be able to control input that is subsequently passed as domain, path, or samesite arguments to RequestHandler.set_cookie. No authentication or specific privileges are inherently required for the exploitation, as it relies on input provided by the client. The attack is remote, typically involving crafting HTTP requests that trigger the vulnerable cookie-setting logic. The complexity is low, as it relies on injecting semicolons into a known vulnerable input field. The primary risk factor is applications that set cookies using user-controlled data without proper sanitization in Tornado.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-78cv-mqj4-43f7?
Available Upgrade Options
- tornado
- <6.5.5 → Upgrade to 6.5.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
- https://osv.dev/vulnerability/GHSA-78cv-mqj4-43f7
- https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
- https://github.com/tornadoweb/tornado
- https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
What are Similar Vulnerabilities to GHSA-78cv-mqj4-43f7?
Similar Vulnerabilities: CVE-2023-26116 , CVE-2022-26143 , CVE-2021-43818 , CVE-2020-28489 , CVE-2020-15160
