Home > Vulnerability Database > CVE-2024-52804

Mend.io Vulnerability Database

CVE-2024-52804

Good to know:

Date: November 22, 2024

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

Language: Python

Severity Score

7.5

Related Resources (6)

Url: https://github.com/advisories/GHSA-7pwv-g7hj-39pr

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-52804

Url: https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533

Url: https://github.com/tornadoweb/tornado

Url: https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c

Url: https://www.mend.io/vulnerability-database/CVE-2024-52804

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version tornado - 6.4.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-52804

Good to know:

Date: November 22, 2024

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?