SB2024060642 - Multiple vulnerabilities in Tornado

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to inject arbitrary headers into outbound requests or cause the application to send arbitrary requests to the specified server.

The vulnerability exists due to improper input validation in curl_httpclient.CurlAsyncHTTPClient when processing attacker-controlled request headers. A remote attacker can supply a crafted header value containing CRLF characters to inject arbitrary headers into outbound requests or cause the application to send arbitrary requests to the specified server.

This issue affects applications that include untrusted header data in requests sent through this client and may facilitate server-side request forgery scenarios.

2) Inconsistent interpretation of HTTP requests (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform HTTP request smuggling.

The vulnerability exists due to inconsistent interpretation of HTTP requests in the Tornado HTTP request parser when processing requests with multiple Transfer-Encoding: chunked headers. A remote attacker can send a specially crafted request to perform HTTP request smuggling.

Exploitation requires Tornado to be deployed behind a proxy server that forwards requests containing multiple Transfer-Encoding: chunked headers.

Remediation

Install update from vendor's website.

References

• https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57
• https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g