{"id":"PYSEC-2012-5","details":"CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.","aliases":["CVE-2012-2374","GHSA-f7fv-v9rh-prvc"],"modified":"2024-05-01T11:26:45.048038Z","published":"2012-05-23T20:55:00Z","references":[{"type":"WEB","url":"http://www.tornadoweb.org/documentation/releases/v2.2.1.html"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2012/05/18/12"},{"type":"ADVISORY","url":"http://secunia.com/advisories/49185"},{"type":"WEB","url":"http://www.securityfocus.com/bid/53612"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/05/18/6"}],"affected":[{"package":{"name":"tornado","ecosystem":"PyPI","purl":"pkg:pypi/tornado"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1"}]}],"versions":["0.2","1.0","1.1","1.1.1","1.2","1.2.1","2.0","2.1","2.1.1","2.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/tornado/PYSEC-2012-5.yaml"}}],"schema_version":"1.7.3"}