Improper input validation in Tornadoweb Tornado
CVE-2012-2374
CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.003 (56.2th percentile) — read the EPSS interpretation.
Affected products
- Tornadoweb Tornado — versions 1.0, 1.0.1, 1.1
- N/a — versions n/a
Weakness classification (CWE)
References
- 53612 (vdb-entry, x_refsource_BID)
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
- 49185 (x_refsource_SECUNIA, third-party-advisory)
- [oss-security] 20120518 CVE Request -- Tornado (python-tornado): Tornado v2.2.1 tornado.web.RequestHandler.set_header() fix to prevent header injection (mailing-list, x_refsource_MLIST)
- [oss-security] 20120518 Re: CVE Request -- Tornado (python-tornado): Tornado v2.2.1 tornado.web.RequestHandler.set_header() fix to prevent header injection (mailing-list, x_refsource_MLIST)