{"id":"USN-7150-1","summary":"python-tornado vulnerabilities","details":"It was discovered that Tornado incorrectly handled a certain redirect.\nA remote attacker could possibly use this issue to redirect a user to an\narbitrary web site and conduct a phishing attack by having the user access\na specially crafted URL. This issue was only addressed in Ubuntu 22.04 LTS,\nUbuntu 20.04 LTS, and Ubuntu 18.04 LTS. Ubuntu 16.04 LTS was previously\naddressed in USN-6159-1. (CVE-2023-28370)\n\nIt was discovered that Tornado inefficiently handled requests when parsing\ncookies. An attacker could possibly use this issue to increase resource\nutilization leading to a denial of service. (CVE-2024-52804)\n","modified":"2026-02-10T04:45:57Z","published":"2024-12-11T15:04:47Z","related":["UBUNTU-CVE-2023-28370","UBUNTU-CVE-2024-52804"],"upstream":["CVE-2023-28370","CVE-2024-52804","UBUNTU-CVE-2023-28370","UBUNTU-CVE-2024-52804"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7150-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-28370"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-52804"}],"affected":[{"package":{"name":"python-tornado","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python-tornado@4.5.3-1ubuntu0.2+esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.5.3-1ubuntu0.2+esm1"}]}],"versions":["4.5.1-2.1~build2","4.5.2-1","4.5.3-1","4.5.3-1ubuntu0.1","4.5.3-1ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_name":"python-tornado","binary_version":"4.5.3-1ubuntu0.2+esm1"},{"binary_name":"python3-tornado","binary_version":"4.5.3-1ubuntu0.2+esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7150-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-28370"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-52804"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"python-tornado","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python-tornado@6.0.3+really5.1.1-3ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.0.3+really5.1.1-3ubuntu0.1~esm1"}]}],"versions":["5.1.1-4ubuntu1","5.1.1-4ubuntu5","6.0.3+really5.1.1-2","6.0.3+really5.1.1-2build1","6.0.3+really5.1.1-2build2","6.0.3+really5.1.1-3"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-tornado","binary_version":"6.0.3+really5.1.1-3ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7150-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-28370"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-52804"}],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}},{"package":{"name":"python-tornado","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/python-tornado@6.1.0-3ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.0-3ubuntu0.1~esm1"}]}],"versions":["6.1.0-1build1","6.1.0-2","6.1.0-3","6.1.0-3build1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-tornado","binary_version":"6.1.0-3ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7150-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-28370"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-52804"}],"ecosystem":"Ubuntu:Pro:22.04:LTS"}}},{"package":{"name":"python-tornado","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/python-tornado@6.4.0-1ubuntu0.1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.4.0-1ubuntu0.1"}]}],"versions":["6.3.2-1","6.4.0-0ubuntu1","6.4.0-1","6.4.0-1build1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-tornado","binary_version":"6.4.0-1ubuntu0.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7150-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-52804"}],"ecosystem":"Ubuntu:24.04:LTS"}}}],"schema_version":"1.7.3"}