GHSA-78cv-mqj4-43f7

ADVISORY - github

Summary

Values passed to the domain, path, and samesite arguments of RequestHandler.set_cookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-74⁠

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Impacted images

Advisories

GitHub

CREATED

4 hours ago

UPDATED

4 hours ago

ADVISORY IDGHSA-78cv-mqj4-43f7⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.4medium