PT-2020-7788 · Tornado+1 · Tornado+1

Published

2015-07-01

Updated

2022-05-17

CVE-2014-9720

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: Tornado versions prior to 3.2.2

Description: The issue allows remote attackers to conduct a BREACH attack and determine a fixed CSRF token via a series of crafted requests, as Tornado sends arbitrary responses that contain this token and may be sent with HTTP compression.

Recommendations: For versions prior to 3.2.2, update to version 3.2.2 or later to resolve the issue.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

CVE-2014-9720

DLA-279-1

DLA-475-1

GHSA-8VPW-MGPF-MPVV

MGASA-2015-0251

PYSEC-2020-213

SUSE-SU-2016:1195-1

SUSE-SU-2016_1195-1

Affected Products

Suse

Tornado

PT-2020-7788 · Tornado+1 · Tornado+1

CVE-2014-9720

Weakness Enumeration

Related Identifiers

Affected Products

References · 24