tornado@6.1 vulnerabilities

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the parse and validate strings capabilities in the int constructor.

Notes:

1. This is possible when Tornado is deployed behind certain proxies that interpret those non-standard characters differently.
2. This is known to apply to older versions of haproxy, although the current release is not affected.

Upgrade tornado to version 6.3.3 or higher.

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the -, +, and _ characters in chunk length and Content-Length fields through the int constructor.

Note: Exploiting this vulnerability is possible if Tornado is deployed behind certain proxies that interpret non-standard characters differently, such as older versions of haproxy.

Upgrade tornado to version 6.3.3 or higher.

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Open Redirect via the StaticFileHandler class, due to improper validation of the default_filename parameter in the initialize function. Exploiting this vulnerability is possible under specific configurations and might result in a redirect to an attacker-controlled site.

Note: This vulnerability is still under analysis and we are following up with the maintainers to confirm it.

Upgrade tornado to version 6.3.2 or higher.