CVE-2020-28476

Name of the Vulnerable Software and Affected Versions: tornado (affected versions not specified)

Description: The issue allows for Web Cache Poisoning through a technique called parameter cloaking. An attacker can exploit this by separating query parameters using a semicolon (;), causing a difference in how the request is interpreted between the proxy and the server. This can lead to malicious requests being cached as if they were safe, because the proxy does not see the semicolon as a separator and thus does not include it in the cache key for an unkeyed parameter.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.