Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-52804 (GCVE-0-2024-52804)
Vulnerability from cvelistv5
Published
2024-11-22 15:43
Modified
2025-11-03 22:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tornadoweb | tornado |
Version: < 6.4.2 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tornado",
"vendor": "tornadoweb",
"versions": [
{
"lessThan": "6.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-25T17:54:41.084248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T17:55:43.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:28:40.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tornado",
"vendor": "tornadoweb",
"versions": [
{
"status": "affected",
"version": "\u003c 6.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T15:43:38.572Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
},
{
"name": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"name": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
}
],
"source": {
"advisory": "GHSA-8w49-h785-mj3c",
"discovery": "UNKNOWN"
},
"title": "Tornado has HTTP cookie parsing DoS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52804",
"datePublished": "2024-11-22T15:43:38.572Z",
"dateReserved": "2024-11-15T17:11:13.441Z",
"dateUpdated": "2025-11-03T22:28:40.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-52804\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-22T16:15:34.417\",\"lastModified\":\"2025-11-03T23:17:15.537\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Tornado es un framework web de Python y una librer\u00eda de redes asincr\u00f3nicas. El algoritmo utilizado para analizar las cookies HTTP en las versiones de Tornado anteriores a la 6.4.2 a veces tiene una complejidad cuadr\u00e1tica, lo que genera un consumo excesivo de CPU al analizar encabezados de cookies manipulado con fines malintencionados. Este an\u00e1lisis se produce en el hilo del bucle de eventos y puede bloquear el procesamiento de otras solicitudes. La versi\u00f3n 6.4.2 soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.4.2\",\"matchCriteriaId\":\"6F76085D-6918-4959-959D-9B8A0DFD4724\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-7pwv-g7hj-39pr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52804\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-25T17:54:41.084248Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*\"], \"vendor\": \"tornadoweb\", \"product\": \"tornado\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.4.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-25T17:55:37.644Z\"}}], \"cna\": {\"title\": \"Tornado has HTTP cookie parsing DoS vulnerability\", \"source\": {\"advisory\": \"GHSA-8w49-h785-mj3c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"tornadoweb\", \"product\": \"tornado\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.4.2\"}]}], \"references\": [{\"url\": \"https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c\", \"name\": \"https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533\", \"name\": \"https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/advisories/GHSA-7pwv-g7hj-39pr\", \"name\": \"https://github.com/advisories/GHSA-7pwv-g7hj-39pr\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-22T15:43:38.572Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-52804\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-25T17:55:43.782Z\", \"dateReserved\": \"2024-11-15T17:11:13.441Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-22T15:43:38.572Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
rhsa-2024:10843
Vulnerability from csaf_redhat
Published
2024-12-05 11:25
Modified
2025-11-06 22:34
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10843",
"url": "https://access.redhat.com/errata/RHSA-2024:10843"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10843.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2025-11-06T22:34:22+00:00",
"generator": {
"date": "2025-11-06T22:34:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2024:10843",
"initial_release_date": "2024-12-05T11:25:56+00:00",
"revision_history": [
{
"date": "2024-12-05T11:25:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-05T11:25:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:34:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_4.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_4.src",
"product_id": "python-tornado-0:6.4.2-1.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T11:25:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10843"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
RHSA-2024:10843
Vulnerability from csaf_redhat
Published
2024-12-05 11:25
Modified
2025-11-06 22:34
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10843",
"url": "https://access.redhat.com/errata/RHSA-2024:10843"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10843.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2025-11-06T22:34:22+00:00",
"generator": {
"date": "2025-11-06T22:34:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2024:10843",
"initial_release_date": "2024-12-05T11:25:56+00:00",
"revision_history": [
{
"date": "2024-12-05T11:25:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-05T11:25:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:34:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_4.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_4.src",
"product_id": "python-tornado-0:6.4.2-1.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T11:25:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10843"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2024_10843
Vulnerability from csaf_redhat
Published
2024-12-05 11:25
Modified
2024-12-06 12:58
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10843",
"url": "https://access.redhat.com/errata/RHSA-2024:10843"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10843.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2024-12-06T12:58:55+00:00",
"generator": {
"date": "2024-12-06T12:58:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.2"
}
},
"id": "RHSA-2024:10843",
"initial_release_date": "2024-12-05T11:25:56+00:00",
"revision_history": [
{
"date": "2024-12-05T11:25:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-05T11:25:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-06T12:58:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_4.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_4.src",
"product_id": "python-tornado-0:6.4.2-1.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T11:25:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10843"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:python-tornado-0:6.4.2-1.el9_4.src",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2025:2955
Vulnerability from csaf_redhat
Published
2025-03-17 16:11
Modified
2025-11-06 22:35
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for pcs is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:2955",
"url": "https://access.redhat.com/errata/RHSA-2025:2955"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2955.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2025-11-06T22:35:41+00:00",
"generator": {
"date": "2025-11-06T22:35:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2025:2955",
"initial_release_date": "2025-03-17T16:11:05+00:00",
"revision_history": [
{
"date": "2025-03-17T16:11:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-17T16:11:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:35:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux HighAvailability TUS (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux HighAvailability TUS (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.4::highavailability"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux HighAvailability E4S (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux HighAvailability E4S (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.4::highavailability"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.8-1.el8_4.6.src",
"product": {
"name": "pcs-0:0.10.8-1.el8_4.6.src",
"product_id": "pcs-0:0.10.8-1.el8_4.6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.8-1.el8_4.6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.8-1.el8_4.6.x86_64",
"product": {
"name": "pcs-0:0.10.8-1.el8_4.6.x86_64",
"product_id": "pcs-0:0.10.8-1.el8_4.6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.8-1.el8_4.6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"product": {
"name": "pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"product_id": "pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.8-1.el8_4.6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.8-1.el8_4.6.ppc64le",
"product": {
"name": "pcs-0:0.10.8-1.el8_4.6.ppc64le",
"product_id": "pcs-0:0.10.8-1.el8_4.6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.8-1.el8_4.6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le",
"product": {
"name": "pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le",
"product_id": "pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.8-1.el8_4.6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.8-1.el8_4.6.ppc64le as a component of Red Hat Enterprise Linux HighAvailability E4S (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.ppc64le"
},
"product_reference": "pcs-0:0.10.8-1.el8_4.6.ppc64le",
"relates_to_product_reference": "HighAvailability-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.8-1.el8_4.6.src as a component of Red Hat Enterprise Linux HighAvailability E4S (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.src"
},
"product_reference": "pcs-0:0.10.8-1.el8_4.6.src",
"relates_to_product_reference": "HighAvailability-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.8-1.el8_4.6.x86_64 as a component of Red Hat Enterprise Linux HighAvailability E4S (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.x86_64"
},
"product_reference": "pcs-0:0.10.8-1.el8_4.6.x86_64",
"relates_to_product_reference": "HighAvailability-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le as a component of Red Hat Enterprise Linux HighAvailability E4S (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le"
},
"product_reference": "pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le",
"relates_to_product_reference": "HighAvailability-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.8-1.el8_4.6.x86_64 as a component of Red Hat Enterprise Linux HighAvailability E4S (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64"
},
"product_reference": "pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"relates_to_product_reference": "HighAvailability-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.8-1.el8_4.6.src as a component of Red Hat Enterprise Linux HighAvailability TUS (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.src"
},
"product_reference": "pcs-0:0.10.8-1.el8_4.6.src",
"relates_to_product_reference": "HighAvailability-8.4.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.8-1.el8_4.6.x86_64 as a component of Red Hat Enterprise Linux HighAvailability TUS (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.x86_64"
},
"product_reference": "pcs-0:0.10.8-1.el8_4.6.x86_64",
"relates_to_product_reference": "HighAvailability-8.4.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.8-1.el8_4.6.x86_64 as a component of Red Hat Enterprise Linux HighAvailability TUS (v.8.4)",
"product_id": "HighAvailability-8.4.0.Z.TUS:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64"
},
"product_reference": "pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"relates_to_product_reference": "HighAvailability-8.4.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.ppc64le",
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.src",
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le",
"HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.src",
"HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.TUS:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-17T16:11:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.ppc64le",
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.src",
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le",
"HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.src",
"HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.TUS:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2955"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.ppc64le",
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.src",
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le",
"HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.src",
"HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.TUS:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.ppc64le",
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.src",
"HighAvailability-8.4.0.Z.E4S:pcs-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.ppc64le",
"HighAvailability-8.4.0.Z.E4S:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.src",
"HighAvailability-8.4.0.Z.TUS:pcs-0:0.10.8-1.el8_4.6.x86_64",
"HighAvailability-8.4.0.Z.TUS:pcs-snmp-0:0.10.8-1.el8_4.6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2025:2470
Vulnerability from csaf_redhat
Published
2025-03-10 01:04
Modified
2025-11-06 22:35
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for pcs is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:2470",
"url": "https://access.redhat.com/errata/RHSA-2025:2470"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2470.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2025-11-06T22:35:31+00:00",
"generator": {
"date": "2025-11-06T22:35:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2025:2470",
"initial_release_date": "2025-03-10T01:04:42+00:00",
"revision_history": [
{
"date": "2025-03-10T01:04:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-10T01:04:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:35:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::highavailability"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::resilientstorage"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.7-2.el9_4.3.src",
"product": {
"name": "pcs-0:0.11.7-2.el9_4.3.src",
"product_id": "pcs-0:0.11.7-2.el9_4.3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.7-2.el9_4.3?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.7-2.el9_4.3.aarch64",
"product": {
"name": "pcs-0:0.11.7-2.el9_4.3.aarch64",
"product_id": "pcs-0:0.11.7-2.el9_4.3.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.7-2.el9_4.3?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"product": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"product_id": "pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.7-2.el9_4.3?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.7-2.el9_4.3.ppc64le",
"product": {
"name": "pcs-0:0.11.7-2.el9_4.3.ppc64le",
"product_id": "pcs-0:0.11.7-2.el9_4.3.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.7-2.el9_4.3?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"product": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"product_id": "pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.7-2.el9_4.3?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.7-2.el9_4.3.x86_64",
"product": {
"name": "pcs-0:0.11.7-2.el9_4.3.x86_64",
"product_id": "pcs-0:0.11.7-2.el9_4.3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.7-2.el9_4.3?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"product": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"product_id": "pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.7-2.el9_4.3?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.7-2.el9_4.3.s390x",
"product": {
"name": "pcs-0:0.11.7-2.el9_4.3.s390x",
"product_id": "pcs-0:0.11.7-2.el9_4.3.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.7-2.el9_4.3?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"product": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"product_id": "pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.7-2.el9_4.3?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.aarch64 as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.aarch64",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.ppc64le as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.ppc64le",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.s390x as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.s390x",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.src as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.src",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.x86_64 as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.x86_64",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.aarch64 as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64"
},
"product_reference": "pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le"
},
"product_reference": "pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.s390x as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x"
},
"product_reference": "pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.x86_64 as a component of Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"product_id": "HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64"
},
"product_reference": "pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"relates_to_product_reference": "HighAvailability-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.aarch64",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.ppc64le",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.s390x as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.s390x",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.src as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.src",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.7-2.el9_4.3.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64"
},
"product_reference": "pcs-0:0.11.7-2.el9_4.3.x86_64",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64"
},
"product_reference": "pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le"
},
"product_reference": "pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.s390x as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x"
},
"product_reference": "pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.7-2.el9_4.3.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"product_id": "ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64"
},
"product_reference": "pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"relates_to_product_reference": "ResilientStorage-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-10T01:04:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2470"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src",
"HighAvailability-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"HighAvailability-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.aarch64",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.ppc64le",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.s390x",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.src",
"ResilientStorage-9.4.0.Z.EUS:pcs-0:0.11.7-2.el9_4.3.x86_64",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.aarch64",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.ppc64le",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.s390x",
"ResilientStorage-9.4.0.Z.EUS:pcs-snmp-0:0.11.7-2.el9_4.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2024_10590
Vulnerability from csaf_redhat
Published
2024-12-02 01:31
Modified
2024-12-06 10:24
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10590",
"url": "https://access.redhat.com/errata/RHSA-2024:10590"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10590.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2024-12-06T10:24:04+00:00",
"generator": {
"date": "2024-12-06T10:24:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.2"
}
},
"id": "RHSA-2024:10590",
"initial_release_date": "2024-12-02T01:31:22+00:00",
"revision_history": [
{
"date": "2024-12-02T01:31:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-02T01:31:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-06T10:24:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_5.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_5.src",
"product_id": "python-tornado-0:6.4.2-1.el9_5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_5.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_5.src",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-02T01:31:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10590"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
RHSA-2024:10836
Vulnerability from csaf_redhat
Published
2024-12-05 10:19
Modified
2025-11-06 22:34
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10836",
"url": "https://access.redhat.com/errata/RHSA-2024:10836"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10836.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2025-11-06T22:34:22+00:00",
"generator": {
"date": "2025-11-06T22:34:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2024:10836",
"initial_release_date": "2024-12-05T10:19:31+00:00",
"revision_history": [
{
"date": "2024-12-05T10:19:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-05T10:19:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:34:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_2.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_2.src",
"product_id": "python-tornado-0:6.4.2-1.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_2.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T10:19:31+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10836"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2025:3108
Vulnerability from csaf_redhat
Published
2025-03-24 10:39
Modified
2025-11-06 22:35
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for pcs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:3108",
"url": "https://access.redhat.com/errata/RHSA-2025:3108"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3108.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2025-11-06T22:35:45+00:00",
"generator": {
"date": "2025-11-06T22:35:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2025:3108",
"initial_release_date": "2025-03-24T10:39:40+00:00",
"revision_history": [
{
"date": "2025-03-24T10:39:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-24T10:39:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:35:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.2::highavailability"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.2::resilientstorage"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.4-7.el9_2.4.src",
"product": {
"name": "pcs-0:0.11.4-7.el9_2.4.src",
"product_id": "pcs-0:0.11.4-7.el9_2.4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.4-7.el9_2.4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.4-7.el9_2.4.aarch64",
"product": {
"name": "pcs-0:0.11.4-7.el9_2.4.aarch64",
"product_id": "pcs-0:0.11.4-7.el9_2.4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.4-7.el9_2.4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"product": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"product_id": "pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.4-7.el9_2.4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.4-7.el9_2.4.ppc64le",
"product": {
"name": "pcs-0:0.11.4-7.el9_2.4.ppc64le",
"product_id": "pcs-0:0.11.4-7.el9_2.4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.4-7.el9_2.4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"product": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"product_id": "pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.4-7.el9_2.4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.4-7.el9_2.4.x86_64",
"product": {
"name": "pcs-0:0.11.4-7.el9_2.4.x86_64",
"product_id": "pcs-0:0.11.4-7.el9_2.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.4-7.el9_2.4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"product": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"product_id": "pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.4-7.el9_2.4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.4-7.el9_2.4.s390x",
"product": {
"name": "pcs-0:0.11.4-7.el9_2.4.s390x",
"product_id": "pcs-0:0.11.4-7.el9_2.4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.4-7.el9_2.4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"product": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"product_id": "pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.4-7.el9_2.4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.aarch64 as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.aarch64",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.ppc64le as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.ppc64le",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.s390x as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.s390x",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.src as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.src",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.x86_64 as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.x86_64",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.aarch64 as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64"
},
"product_reference": "pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le"
},
"product_reference": "pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.s390x as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x"
},
"product_reference": "pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.x86_64 as a component of Red Hat Enterprise Linux High Availability EUS (v.9.2)",
"product_id": "HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64"
},
"product_reference": "pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"relates_to_product_reference": "HighAvailability-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.aarch64",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.ppc64le",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.s390x as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.s390x",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.src as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.src",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.4-7.el9_2.4.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64"
},
"product_reference": "pcs-0:0.11.4-7.el9_2.4.x86_64",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64"
},
"product_reference": "pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le"
},
"product_reference": "pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.s390x as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x"
},
"product_reference": "pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.4-7.el9_2.4.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.9.2)",
"product_id": "ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64"
},
"product_reference": "pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"relates_to_product_reference": "ResilientStorage-9.2.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-24T10:39:40+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3108"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src",
"HighAvailability-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"HighAvailability-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.aarch64",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.ppc64le",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.s390x",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.src",
"ResilientStorage-9.2.0.Z.EUS:pcs-0:0.11.4-7.el9_2.4.x86_64",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.aarch64",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.ppc64le",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.s390x",
"ResilientStorage-9.2.0.Z.EUS:pcs-snmp-0:0.11.4-7.el9_2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2024_10836
Vulnerability from csaf_redhat
Published
2024-12-05 10:19
Modified
2024-12-06 10:24
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10836",
"url": "https://access.redhat.com/errata/RHSA-2024:10836"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10836.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2024-12-06T10:24:14+00:00",
"generator": {
"date": "2024-12-06T10:24:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.2"
}
},
"id": "RHSA-2024:10836",
"initial_release_date": "2024-12-05T10:19:31+00:00",
"revision_history": [
{
"date": "2024-12-05T10:19:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-05T10:19:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-06T10:24:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_2.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_2.src",
"product_id": "python-tornado-0:6.4.2-1.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_2.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T10:19:31+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10836"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2024:10836
Vulnerability from csaf_redhat
Published
2024-12-05 10:19
Modified
2025-11-06 22:34
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10836",
"url": "https://access.redhat.com/errata/RHSA-2024:10836"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10836.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2025-11-06T22:34:22+00:00",
"generator": {
"date": "2025-11-06T22:34:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2024:10836",
"initial_release_date": "2024-12-05T10:19:31+00:00",
"revision_history": [
{
"date": "2024-12-05T10:19:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-05T10:19:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:34:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_2.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_2.src",
"product_id": "python-tornado-0:6.4.2-1.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_2.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
"product_id": "AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T10:19:31+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10836"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.EUS:python-tornado-0:6.4.2-1.el9_2.src",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python-tornado-debugsource-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-0:6.4.2-1.el9_2.x86_64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.aarch64",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.ppc64le",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.s390x",
"AppStream-9.2.0.Z.EUS:python3-tornado-debuginfo-0:6.4.2-1.el9_2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2025:2872
Vulnerability from csaf_redhat
Published
2025-03-17 01:35
Modified
2025-11-06 22:35
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for pcs is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:2872",
"url": "https://access.redhat.com/errata/RHSA-2025:2872"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2872.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2025-11-06T22:35:41+00:00",
"generator": {
"date": "2025-11-06T22:35:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2025:2872",
"initial_release_date": "2025-03-17T01:35:39+00:00",
"revision_history": [
{
"date": "2025-03-17T01:35:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-17T01:35:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:35:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux HighAvailability (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::highavailability"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::resilientstorage"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.18-2.el8_10.4.src",
"product": {
"name": "pcs-0:0.10.18-2.el8_10.4.src",
"product_id": "pcs-0:0.10.18-2.el8_10.4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.18-2.el8_10.4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.18-2.el8_10.4.aarch64",
"product": {
"name": "pcs-0:0.10.18-2.el8_10.4.aarch64",
"product_id": "pcs-0:0.10.18-2.el8_10.4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.18-2.el8_10.4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"product": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"product_id": "pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.18-2.el8_10.4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.18-2.el8_10.4.ppc64le",
"product": {
"name": "pcs-0:0.10.18-2.el8_10.4.ppc64le",
"product_id": "pcs-0:0.10.18-2.el8_10.4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.18-2.el8_10.4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"product": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"product_id": "pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.18-2.el8_10.4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.18-2.el8_10.4.x86_64",
"product": {
"name": "pcs-0:0.10.18-2.el8_10.4.x86_64",
"product_id": "pcs-0:0.10.18-2.el8_10.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.18-2.el8_10.4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"product": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"product_id": "pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.18-2.el8_10.4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.18-2.el8_10.4.s390x",
"product": {
"name": "pcs-0:0.10.18-2.el8_10.4.s390x",
"product_id": "pcs-0:0.10.18-2.el8_10.4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.18-2.el8_10.4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"product": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"product_id": "pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.18-2.el8_10.4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.aarch64 as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.aarch64",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.ppc64le as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.ppc64le",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.s390x as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.s390x",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.src as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.src",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.x86_64 as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.x86_64",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.aarch64 as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64"
},
"product_reference": "pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le"
},
"product_reference": "pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.s390x as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x"
},
"product_reference": "pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.x86_64 as a component of Red Hat Enterprise Linux HighAvailability (v. 8)",
"product_id": "HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64"
},
"product_reference": "pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"relates_to_product_reference": "HighAvailability-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.aarch64 as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.aarch64",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.ppc64le as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.ppc64le",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.s390x as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.s390x",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.src as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.src",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.18-2.el8_10.4.x86_64 as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64"
},
"product_reference": "pcs-0:0.10.18-2.el8_10.4.x86_64",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.aarch64 as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64"
},
"product_reference": "pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le"
},
"product_reference": "pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.s390x as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x"
},
"product_reference": "pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.18-2.el8_10.4.x86_64 as a component of Red Hat Enterprise Linux ResilientStorage (v. 8)",
"product_id": "ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64"
},
"product_reference": "pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"relates_to_product_reference": "ResilientStorage-8.10.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-17T01:35:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2872"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"HighAvailability-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.aarch64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.ppc64le",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.s390x",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.src",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-0:0.10.18-2.el8_10.4.x86_64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.aarch64",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.ppc64le",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.s390x",
"ResilientStorage-8.10.0.Z.MAIN.EUS:pcs-snmp-0:0.10.18-2.el8_10.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2025:2471
Vulnerability from csaf_redhat
Published
2025-03-10 01:03
Modified
2025-11-06 22:35
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for pcs is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:2471",
"url": "https://access.redhat.com/errata/RHSA-2025:2471"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2471.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2025-11-06T22:35:32+00:00",
"generator": {
"date": "2025-11-06T22:35:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2025:2471",
"initial_release_date": "2025-03-10T01:03:02+00:00",
"revision_history": [
{
"date": "2025-03-10T01:03:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-10T01:03:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:35:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux High Availability (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::highavailability"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::resilientstorage"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.8-1.el9_5.2.src",
"product": {
"name": "pcs-0:0.11.8-1.el9_5.2.src",
"product_id": "pcs-0:0.11.8-1.el9_5.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.8-1.el9_5.2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.8-1.el9_5.2.aarch64",
"product": {
"name": "pcs-0:0.11.8-1.el9_5.2.aarch64",
"product_id": "pcs-0:0.11.8-1.el9_5.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.8-1.el9_5.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"product": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"product_id": "pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.8-1.el9_5.2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.8-1.el9_5.2.ppc64le",
"product": {
"name": "pcs-0:0.11.8-1.el9_5.2.ppc64le",
"product_id": "pcs-0:0.11.8-1.el9_5.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.8-1.el9_5.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"product": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"product_id": "pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.8-1.el9_5.2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.8-1.el9_5.2.x86_64",
"product": {
"name": "pcs-0:0.11.8-1.el9_5.2.x86_64",
"product_id": "pcs-0:0.11.8-1.el9_5.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.8-1.el9_5.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"product": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"product_id": "pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.8-1.el9_5.2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.8-1.el9_5.2.s390x",
"product": {
"name": "pcs-0:0.11.8-1.el9_5.2.s390x",
"product_id": "pcs-0:0.11.8-1.el9_5.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.8-1.el9_5.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"product": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"product_id": "pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.8-1.el9_5.2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.aarch64 as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.aarch64",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.ppc64le as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.ppc64le",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.s390x as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.s390x",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.src as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.src",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.x86_64",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.aarch64 as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64"
},
"product_reference": "pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le"
},
"product_reference": "pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.s390x as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x"
},
"product_reference": "pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 9)",
"product_id": "HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64"
},
"product_reference": "pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"relates_to_product_reference": "HighAvailability-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.aarch64",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.ppc64le",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.s390x as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.s390x",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.src as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.src",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.8-1.el9_5.2.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64"
},
"product_reference": "pcs-0:0.11.8-1.el9_5.2.x86_64",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64"
},
"product_reference": "pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le"
},
"product_reference": "pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.s390x as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x"
},
"product_reference": "pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.8-1.el9_5.2.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 9)",
"product_id": "ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64"
},
"product_reference": "pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"relates_to_product_reference": "ResilientStorage-9.5.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-10T01:03:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2471"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src",
"HighAvailability-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"HighAvailability-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.aarch64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.ppc64le",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.s390x",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.src",
"ResilientStorage-9.5.0.Z.MAIN:pcs-0:0.11.8-1.el9_5.2.x86_64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.aarch64",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.ppc64le",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.s390x",
"ResilientStorage-9.5.0.Z.MAIN:pcs-snmp-0:0.11.8-1.el9_5.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2025:2956
Vulnerability from csaf_redhat
Published
2025-03-17 16:11
Modified
2025-11-06 22:35
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for pcs is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:2956",
"url": "https://access.redhat.com/errata/RHSA-2025:2956"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2956.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2025-11-06T22:35:41+00:00",
"generator": {
"date": "2025-11-06T22:35:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2025:2956",
"initial_release_date": "2025-03-17T16:11:06+00:00",
"revision_history": [
{
"date": "2025-03-17T16:11:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-17T16:11:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:35:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux High Availability E4S (v.8.6)",
"product": {
"name": "Red Hat Enterprise Linux High Availability E4S (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.6::highavailability"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux High Availability TUS (v.8.6)",
"product": {
"name": "Red Hat Enterprise Linux High Availability TUS (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.6::highavailability"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.12-6.el8_6.7.src",
"product": {
"name": "pcs-0:0.10.12-6.el8_6.7.src",
"product_id": "pcs-0:0.10.12-6.el8_6.7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.12-6.el8_6.7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.12-6.el8_6.7.ppc64le",
"product": {
"name": "pcs-0:0.10.12-6.el8_6.7.ppc64le",
"product_id": "pcs-0:0.10.12-6.el8_6.7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.12-6.el8_6.7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le",
"product": {
"name": "pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le",
"product_id": "pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.12-6.el8_6.7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.12-6.el8_6.7.x86_64",
"product": {
"name": "pcs-0:0.10.12-6.el8_6.7.x86_64",
"product_id": "pcs-0:0.10.12-6.el8_6.7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.12-6.el8_6.7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"product": {
"name": "pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"product_id": "pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.12-6.el8_6.7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.12-6.el8_6.7.ppc64le as a component of Red Hat Enterprise Linux High Availability E4S (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.ppc64le"
},
"product_reference": "pcs-0:0.10.12-6.el8_6.7.ppc64le",
"relates_to_product_reference": "HighAvailability-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.12-6.el8_6.7.src as a component of Red Hat Enterprise Linux High Availability E4S (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.src"
},
"product_reference": "pcs-0:0.10.12-6.el8_6.7.src",
"relates_to_product_reference": "HighAvailability-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.12-6.el8_6.7.x86_64 as a component of Red Hat Enterprise Linux High Availability E4S (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.x86_64"
},
"product_reference": "pcs-0:0.10.12-6.el8_6.7.x86_64",
"relates_to_product_reference": "HighAvailability-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le as a component of Red Hat Enterprise Linux High Availability E4S (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le"
},
"product_reference": "pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le",
"relates_to_product_reference": "HighAvailability-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.12-6.el8_6.7.x86_64 as a component of Red Hat Enterprise Linux High Availability E4S (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64"
},
"product_reference": "pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"relates_to_product_reference": "HighAvailability-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.12-6.el8_6.7.src as a component of Red Hat Enterprise Linux High Availability TUS (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.src"
},
"product_reference": "pcs-0:0.10.12-6.el8_6.7.src",
"relates_to_product_reference": "HighAvailability-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.12-6.el8_6.7.x86_64 as a component of Red Hat Enterprise Linux High Availability TUS (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.x86_64"
},
"product_reference": "pcs-0:0.10.12-6.el8_6.7.x86_64",
"relates_to_product_reference": "HighAvailability-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.12-6.el8_6.7.x86_64 as a component of Red Hat Enterprise Linux High Availability TUS (v.8.6)",
"product_id": "HighAvailability-8.6.0.Z.TUS:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64"
},
"product_reference": "pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"relates_to_product_reference": "HighAvailability-8.6.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.ppc64le",
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.src",
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le",
"HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.src",
"HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.TUS:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-17T16:11:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.ppc64le",
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.src",
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le",
"HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.src",
"HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.TUS:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2956"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.ppc64le",
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.src",
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le",
"HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.src",
"HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.TUS:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.ppc64le",
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.src",
"HighAvailability-8.6.0.Z.E4S:pcs-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.ppc64le",
"HighAvailability-8.6.0.Z.E4S:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.src",
"HighAvailability-8.6.0.Z.TUS:pcs-0:0.10.12-6.el8_6.7.x86_64",
"HighAvailability-8.6.0.Z.TUS:pcs-snmp-0:0.10.12-6.el8_6.7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
RHSA-2024:10590
Vulnerability from csaf_redhat
Published
2024-12-02 01:31
Modified
2025-11-06 22:34
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10590",
"url": "https://access.redhat.com/errata/RHSA-2024:10590"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10590.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2025-11-06T22:34:20+00:00",
"generator": {
"date": "2025-11-06T22:34:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2024:10590",
"initial_release_date": "2024-12-02T01:31:22+00:00",
"revision_history": [
{
"date": "2024-12-02T01:31:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-02T01:31:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:34:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_5.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_5.src",
"product_id": "python-tornado-0:6.4.2-1.el9_5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_5.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_5.src",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-02T01:31:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10590"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2025:2550
Vulnerability from csaf_redhat
Published
2025-03-10 18:47
Modified
2025-11-06 22:35
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for pcs is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:2550",
"url": "https://access.redhat.com/errata/RHSA-2025:2550"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2550.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2025-11-06T22:35:37+00:00",
"generator": {
"date": "2025-11-06T22:35:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2025:2550",
"initial_release_date": "2025-03-10T18:47:20+00:00",
"revision_history": [
{
"date": "2025-03-10T18:47:20+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-10T18:47:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:35:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product": {
"name": "Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.0::highavailability"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product": {
"name": "Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.0::resilientstorage"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.1-10.el9_0.7.src",
"product": {
"name": "pcs-0:0.11.1-10.el9_0.7.src",
"product_id": "pcs-0:0.11.1-10.el9_0.7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.1-10.el9_0.7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.1-10.el9_0.7.ppc64le",
"product": {
"name": "pcs-0:0.11.1-10.el9_0.7.ppc64le",
"product_id": "pcs-0:0.11.1-10.el9_0.7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.1-10.el9_0.7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"product": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"product_id": "pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.1-10.el9_0.7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.1-10.el9_0.7.x86_64",
"product": {
"name": "pcs-0:0.11.1-10.el9_0.7.x86_64",
"product_id": "pcs-0:0.11.1-10.el9_0.7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.1-10.el9_0.7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"product": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"product_id": "pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.1-10.el9_0.7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.1-10.el9_0.7.s390x",
"product": {
"name": "pcs-0:0.11.1-10.el9_0.7.s390x",
"product_id": "pcs-0:0.11.1-10.el9_0.7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.1-10.el9_0.7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"product": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"product_id": "pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.1-10.el9_0.7?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.11.1-10.el9_0.7.aarch64",
"product": {
"name": "pcs-0:0.11.1-10.el9_0.7.aarch64",
"product_id": "pcs-0:0.11.1-10.el9_0.7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.11.1-10.el9_0.7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"product": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"product_id": "pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.11.1-10.el9_0.7?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.aarch64 as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.aarch64",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.ppc64le as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.ppc64le",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.s390x as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.s390x",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.src as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.src",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.x86_64 as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.x86_64",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.aarch64 as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64"
},
"product_reference": "pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le"
},
"product_reference": "pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.s390x as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x"
},
"product_reference": "pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.x86_64 as a component of Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"product_id": "HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64"
},
"product_reference": "pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"relates_to_product_reference": "HighAvailability-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.aarch64 as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.aarch64",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.ppc64le as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.ppc64le",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.s390x as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.s390x",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.src as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.src",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.11.1-10.el9_0.7.x86_64 as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64"
},
"product_reference": "pcs-0:0.11.1-10.el9_0.7.x86_64",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.aarch64 as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64"
},
"product_reference": "pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le"
},
"product_reference": "pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.s390x as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x"
},
"product_reference": "pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.11.1-10.el9_0.7.x86_64 as a component of Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"product_id": "ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64"
},
"product_reference": "pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"relates_to_product_reference": "ResilientStorage-9.0.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-10T18:47:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2550"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src",
"HighAvailability-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"HighAvailability-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.aarch64",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.ppc64le",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.s390x",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.src",
"ResilientStorage-9.0.0.Z.E4S:pcs-0:0.11.1-10.el9_0.7.x86_64",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.aarch64",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.ppc64le",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.s390x",
"ResilientStorage-9.0.0.Z.E4S:pcs-snmp-0:0.11.1-10.el9_0.7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2025:3109
Vulnerability from csaf_redhat
Published
2025-03-24 10:39
Modified
2025-11-06 22:35
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for pcs is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:3109",
"url": "https://access.redhat.com/errata/RHSA-2025:3109"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3109.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2025-11-06T22:35:43+00:00",
"generator": {
"date": "2025-11-06T22:35:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2025:3109",
"initial_release_date": "2025-03-24T10:39:04+00:00",
"revision_history": [
{
"date": "2025-03-24T10:39:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-24T10:39:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:35:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:8.8::highavailability"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:8.8::resilientstorage"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.15-4.el8_8.4.src",
"product": {
"name": "pcs-0:0.10.15-4.el8_8.4.src",
"product_id": "pcs-0:0.10.15-4.el8_8.4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.15-4.el8_8.4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.15-4.el8_8.4.ppc64le",
"product": {
"name": "pcs-0:0.10.15-4.el8_8.4.ppc64le",
"product_id": "pcs-0:0.10.15-4.el8_8.4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.15-4.el8_8.4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"product": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"product_id": "pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.15-4.el8_8.4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.15-4.el8_8.4.x86_64",
"product": {
"name": "pcs-0:0.10.15-4.el8_8.4.x86_64",
"product_id": "pcs-0:0.10.15-4.el8_8.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.15-4.el8_8.4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"product": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"product_id": "pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.15-4.el8_8.4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.15-4.el8_8.4.s390x",
"product": {
"name": "pcs-0:0.10.15-4.el8_8.4.s390x",
"product_id": "pcs-0:0.10.15-4.el8_8.4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.15-4.el8_8.4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"product": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"product_id": "pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.15-4.el8_8.4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.10.15-4.el8_8.4.aarch64",
"product": {
"name": "pcs-0:0.10.15-4.el8_8.4.aarch64",
"product_id": "pcs-0:0.10.15-4.el8_8.4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.10.15-4.el8_8.4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"product": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"product_id": "pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-snmp@0.10.15-4.el8_8.4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.aarch64 as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.aarch64",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.ppc64le as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.ppc64le",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.s390x as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.s390x",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.src as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.src",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.x86_64 as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.x86_64",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.aarch64 as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64"
},
"product_reference": "pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le"
},
"product_reference": "pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.s390x as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x"
},
"product_reference": "pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.x86_64 as a component of Red Hat Enterprise Linux High Availability EUS (v.8.8)",
"product_id": "HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64"
},
"product_reference": "pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"relates_to_product_reference": "HighAvailability-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.aarch64",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.ppc64le",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.s390x as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.s390x",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.src as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.src",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.10.15-4.el8_8.4.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64"
},
"product_reference": "pcs-0:0.10.15-4.el8_8.4.x86_64",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64"
},
"product_reference": "pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le"
},
"product_reference": "pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.s390x as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x"
},
"product_reference": "pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-snmp-0:0.10.15-4.el8_8.4.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage EUS (v.8.8)",
"product_id": "ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64"
},
"product_reference": "pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"relates_to_product_reference": "ResilientStorage-8.8.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-24T10:39:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3109"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src",
"HighAvailability-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"HighAvailability-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.aarch64",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.ppc64le",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.s390x",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.src",
"ResilientStorage-8.8.0.Z.EUS:pcs-0:0.10.15-4.el8_8.4.x86_64",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.aarch64",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.ppc64le",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.s390x",
"ResilientStorage-8.8.0.Z.EUS:pcs-snmp-0:0.10.15-4.el8_8.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
rhsa-2024:10590
Vulnerability from csaf_redhat
Published
2024-12-02 01:31
Modified
2025-11-06 22:34
Summary
Red Hat Security Advisory: python-tornado security update
Notes
Topic
An update for python-tornado is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.
Security Fix(es):
* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-tornado is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\n* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10590",
"url": "https://access.redhat.com/errata/RHSA-2024:10590"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10590.json"
}
],
"title": "Red Hat Security Advisory: python-tornado security update",
"tracking": {
"current_release_date": "2025-11-06T22:34:20+00:00",
"generator": {
"date": "2025-11-06T22:34:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.11"
}
},
"id": "RHSA-2024:10590",
"initial_release_date": "2024-12-02T01:31:22+00:00",
"revision_history": [
{
"date": "2024-12-02T01:31:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-12-02T01:31:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-06T22:34:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-0:6.4.2-1.el9_5.src",
"product": {
"name": "python-tornado-0:6.4.2-1.el9_5.src",
"product_id": "python-tornado-0:6.4.2-1.el9_5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado@6.4.2-1.el9_5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product_id": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado@6.4.2-1.el9_5?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product_id": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-tornado-debugsource@6.4.2-1.el9_5?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product_id": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-tornado-debuginfo@6.4.2-1.el9_5?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-0:6.4.2-1.el9_5.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src"
},
"product_reference": "python-tornado-0:6.4.2-1.el9_5.src",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python3-tornado-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
},
"product_reference": "python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64",
"relates_to_product_reference": "AppStream-9.5.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-11-22T16:00:41.704855+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2328045"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tornado\u0027s HTTP cookie parsing algorithm. This vulnerability allows excessive CPU consumption via maliciously crafted cookie headers due to Quadratic complexity, potentially blocking the processing of other requests and leading to the loss of availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "RHBZ#2328045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr",
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"category": "external",
"summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
}
],
"release_date": "2024-11-22T15:43:38.572000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-02T01:31:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10590"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.5.0.Z.MAIN:python-tornado-0:6.4.2-1.el9_5.src",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python-tornado-debugsource-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-0:6.4.2-1.el9_5.x86_64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.aarch64",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.ppc64le",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.s390x",
"AppStream-9.5.0.Z.MAIN:python3-tornado-debuginfo-0:6.4.2-1.el9_5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-tornado: Tornado has HTTP cookie parsing DoS vulnerability"
}
]
}
wid-sec-w-2024-3569
Vulnerability from csaf_certbund
Published
2024-12-01 23:00
Modified
2025-07-29 22:00
Summary
Red Hat Enterprise Linux (python-tornado): Schwachstelle ermöglicht Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-3569 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3569.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-3569 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3569"
},
{
"category": "external",
"summary": "Red Hat Security Advisor vom 2024-12-01",
"url": "https://access.redhat.com/errata/RHSA-2024:10590"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4137-1 vom 2024-12-02",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019892.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2024-10590 vom 2024-12-02",
"url": "https://linux.oracle.com/errata/ELSA-2024-10590.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:10836 vom 2024-12-05",
"url": "https://access.redhat.com/errata/RHSA-2024:10836"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:10843 vom 2024-12-05",
"url": "https://access.redhat.com/errata/RHSA-2024:10843"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7150-1 vom 2024-12-11",
"url": "https://ubuntu.com/security/notices/USN-7150-1"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4007 vom 2025-01-01",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2025-2725 vom 2025-01-10",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2725.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2470 vom 2025-03-10",
"url": "https://access.redhat.com/errata/RHSA-2025:2470"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2471 vom 2025-03-10",
"url": "https://access.redhat.com/errata/RHSA-2025:2471"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2550 vom 2025-03-10",
"url": "https://access.redhat.com/errata/RHSA-2025:2550"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-2471 vom 2025-03-12",
"url": "https://linux.oracle.com/errata/ELSA-2025-2471.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2872 vom 2025-03-17",
"url": "https://access.redhat.com/errata/RHSA-2025:2872"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2955 vom 2025-03-17",
"url": "https://access.redhat.com/errata/RHSA-2025:2955"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2956 vom 2025-03-17",
"url": "https://access.redhat.com/errata/RHSA-2025:2956"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-2872 vom 2025-03-19",
"url": "https://linux.oracle.com/errata/ELSA-2025-2872.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3108 vom 2025-03-24",
"url": "https://access.redhat.com/errata/RHSA-2025:3108"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3109 vom 2025-03-24",
"url": "https://access.redhat.com/errata/RHSA-2025:3109"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-DB6E9BB7FB vom 2025-05-22",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-db6e9bb7fb"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-5320059879 vom 2025-05-22",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-5320059879"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-8254 vom 2025-05-29",
"url": "https://linux.oracle.com/errata/ELSA-2025-8254.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20096-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021286.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20445-1 vom 2025-06-30",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021721.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:2471 vom 2025-07-29",
"url": "https://errata.build.resf.org/RLSA-2025:2471"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux (python-tornado): Schwachstelle erm\u00f6glicht Denial of Service",
"tracking": {
"current_release_date": "2025-07-29T22:00:00.000+00:00",
"generator": {
"date": "2025-07-30T09:11:09.907+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2024-3569",
"initial_release_date": "2024-12-01T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-12-01T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-12-02T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von SUSE und Oracle Linux aufgenommen"
},
{
"date": "2024-12-04T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-12-11T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2025-01-01T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-01-09T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2025-03-09T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-10T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-12T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-03-16T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-17T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-18T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-03-23T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-05-21T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Fedora aufgenommen"
},
{
"date": "2025-05-29T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-06-03T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-30T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-07-29T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
}
],
"status": "final",
"version": "18"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "9",
"product": {
"name": "Red Hat Enterprise Linux 9",
"product_id": "T033227",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:9"
}
}
},
{
"category": "product_version_range",
"name": "python-tornado \u003c6.4.2",
"product": {
"name": "Red Hat Enterprise Linux python-tornado \u003c6.4.2",
"product_id": "T039515"
}
},
{
"category": "product_version",
"name": "python-tornado 6.4.2",
"product": {
"name": "Red Hat Enterprise Linux python-tornado 6.4.2",
"product_id": "T039515-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:python-tornado__6.4.2"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"product_status": {
"known_affected": [
"T033227",
"2951",
"T002207",
"67646",
"T000126",
"398363",
"T039515",
"T004914",
"T032255",
"74185"
]
},
"release_date": "2024-12-01T23:00:00.000+00:00",
"title": "CVE-2024-52804"
}
]
}
WID-SEC-W-2024-3569
Vulnerability from csaf_certbund
Published
2024-12-01 23:00
Modified
2025-07-29 22:00
Summary
Red Hat Enterprise Linux (python-tornado): Schwachstelle ermöglicht Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-3569 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3569.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-3569 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3569"
},
{
"category": "external",
"summary": "Red Hat Security Advisor vom 2024-12-01",
"url": "https://access.redhat.com/errata/RHSA-2024:10590"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4137-1 vom 2024-12-02",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019892.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2024-10590 vom 2024-12-02",
"url": "https://linux.oracle.com/errata/ELSA-2024-10590.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:10836 vom 2024-12-05",
"url": "https://access.redhat.com/errata/RHSA-2024:10836"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:10843 vom 2024-12-05",
"url": "https://access.redhat.com/errata/RHSA-2024:10843"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7150-1 vom 2024-12-11",
"url": "https://ubuntu.com/security/notices/USN-7150-1"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4007 vom 2025-01-01",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2025-2725 vom 2025-01-10",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2725.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2470 vom 2025-03-10",
"url": "https://access.redhat.com/errata/RHSA-2025:2470"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2471 vom 2025-03-10",
"url": "https://access.redhat.com/errata/RHSA-2025:2471"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2550 vom 2025-03-10",
"url": "https://access.redhat.com/errata/RHSA-2025:2550"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-2471 vom 2025-03-12",
"url": "https://linux.oracle.com/errata/ELSA-2025-2471.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2872 vom 2025-03-17",
"url": "https://access.redhat.com/errata/RHSA-2025:2872"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2955 vom 2025-03-17",
"url": "https://access.redhat.com/errata/RHSA-2025:2955"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:2956 vom 2025-03-17",
"url": "https://access.redhat.com/errata/RHSA-2025:2956"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-2872 vom 2025-03-19",
"url": "https://linux.oracle.com/errata/ELSA-2025-2872.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3108 vom 2025-03-24",
"url": "https://access.redhat.com/errata/RHSA-2025:3108"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3109 vom 2025-03-24",
"url": "https://access.redhat.com/errata/RHSA-2025:3109"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-DB6E9BB7FB vom 2025-05-22",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-db6e9bb7fb"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-5320059879 vom 2025-05-22",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-5320059879"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-8254 vom 2025-05-29",
"url": "https://linux.oracle.com/errata/ELSA-2025-8254.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20096-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021286.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20445-1 vom 2025-06-30",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021721.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:2471 vom 2025-07-29",
"url": "https://errata.build.resf.org/RLSA-2025:2471"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux (python-tornado): Schwachstelle erm\u00f6glicht Denial of Service",
"tracking": {
"current_release_date": "2025-07-29T22:00:00.000+00:00",
"generator": {
"date": "2025-07-30T09:11:09.907+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2024-3569",
"initial_release_date": "2024-12-01T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-12-01T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-12-02T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von SUSE und Oracle Linux aufgenommen"
},
{
"date": "2024-12-04T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-12-11T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2025-01-01T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-01-09T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2025-03-09T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-10T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-12T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-03-16T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-17T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-18T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-03-23T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-05-21T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Fedora aufgenommen"
},
{
"date": "2025-05-29T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-06-03T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-30T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-07-29T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
}
],
"status": "final",
"version": "18"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "9",
"product": {
"name": "Red Hat Enterprise Linux 9",
"product_id": "T033227",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:9"
}
}
},
{
"category": "product_version_range",
"name": "python-tornado \u003c6.4.2",
"product": {
"name": "Red Hat Enterprise Linux python-tornado \u003c6.4.2",
"product_id": "T039515"
}
},
{
"category": "product_version",
"name": "python-tornado 6.4.2",
"product": {
"name": "Red Hat Enterprise Linux python-tornado 6.4.2",
"product_id": "T039515-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:python-tornado__6.4.2"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"product_status": {
"known_affected": [
"T033227",
"2951",
"T002207",
"67646",
"T000126",
"398363",
"T039515",
"T004914",
"T032255",
"74185"
]
},
"release_date": "2024-12-01T23:00:00.000+00:00",
"title": "CVE-2024-52804"
}
]
}
suse-su-2025:20096-1
Vulnerability from csaf_suse
Published
2025-02-03 09:13
Modified
2025-02-03 09:13
Summary
Security update for python-tornado6
Notes
Title of the patch
Security update for python-tornado6
Description of the patch
This update for python-tornado6 fixes the following issues:
- CVE-2024-52804: Avoid quadratic performance of cookie parsing (bsc#1233668).
Patchnames
SUSE-SLE-Micro-6.0-141
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-tornado6",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-tornado6 fixes the following issues:\n\n- CVE-2024-52804: Avoid quadratic performance of cookie parsing (bsc#1233668).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-141",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20096-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20096-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520096-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20096-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021221.html"
},
{
"category": "self",
"summary": "SUSE Bug 1233668",
"url": "https://bugzilla.suse.com/1233668"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52804 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52804/"
}
],
"title": "Security update for python-tornado6",
"tracking": {
"current_release_date": "2025-02-03T09:13:17Z",
"generator": {
"date": "2025-02-03T09:13:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20096-1",
"initial_release_date": "2025-02-03T09:13:17Z",
"revision_history": [
{
"date": "2025-02-03T09:13:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.4-2.1.aarch64",
"product": {
"name": "python311-tornado6-6.4-2.1.aarch64",
"product_id": "python311-tornado6-6.4-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.4-2.1.s390x",
"product": {
"name": "python311-tornado6-6.4-2.1.s390x",
"product_id": "python311-tornado6-6.4-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.4-2.1.x86_64",
"product": {
"name": "python311-tornado6-6.4-2.1.x86_64",
"product_id": "python311-tornado6-6.4-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4-2.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.aarch64"
},
"product_reference": "python311-tornado6-6.4-2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4-2.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.s390x"
},
"product_reference": "python311-tornado6-6.4-2.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4-2.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.x86_64"
},
"product_reference": "python311-tornado6-6.4-2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52804"
}
],
"notes": [
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.aarch64",
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.s390x",
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52804",
"url": "https://www.suse.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "SUSE Bug 1233668 for CVE-2024-52804",
"url": "https://bugzilla.suse.com/1233668"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.aarch64",
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.s390x",
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.aarch64",
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.s390x",
"SUSE Linux Micro 6.0:python311-tornado6-6.4-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-03T09:13:17Z",
"details": "moderate"
}
],
"title": "CVE-2024-52804"
}
]
}
suse-su-2025:20445-1
Vulnerability from csaf_suse
Published
2025-06-24 08:53
Modified
2025-06-24 08:53
Summary
Security update for python-tornado6
Notes
Title of the patch
Security update for python-tornado6
Description of the patch
This update for python-tornado6 fixes the following issues:
- CVE-2024-52804: Fixed excessive CPU consumption by the algorithm
used for parsing HTTP cookies (bsc#1233668)
- CVE-2025-47287: Fixed denial-of-service via generation of an extremely
high volume of logs due to multipart/form-data parser (bsc#1243268)
Patchnames
SUSE-SLE-Micro-6.1-157
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-tornado6",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-tornado6 fixes the following issues:\n\n- CVE-2024-52804: Fixed excessive CPU consumption by the algorithm \n used for parsing HTTP cookies (bsc#1233668)\n- CVE-2025-47287: Fixed denial-of-service via generation of an extremely\n high volume of logs due to multipart/form-data parser (bsc#1243268)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-157",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20445-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20445-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520445-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20445-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-June/040560.html"
},
{
"category": "self",
"summary": "SUSE Bug 1233668",
"url": "https://bugzilla.suse.com/1233668"
},
{
"category": "self",
"summary": "SUSE Bug 1243268",
"url": "https://bugzilla.suse.com/1243268"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52804 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52804/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47287 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47287/"
}
],
"title": "Security update for python-tornado6",
"tracking": {
"current_release_date": "2025-06-24T08:53:22Z",
"generator": {
"date": "2025-06-24T08:53:22Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20445-1",
"initial_release_date": "2025-06-24T08:53:22Z",
"revision_history": [
{
"date": "2025-06-24T08:53:22Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"product": {
"name": "python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"product_id": "python311-tornado6-6.4-slfo.1.1_2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"product": {
"name": "python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"product_id": "python311-tornado6-6.4-slfo.1.1_2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"product": {
"name": "python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"product_id": "python311-tornado6-6.4-slfo.1.1_2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.4-slfo.1.1_2.1.x86_64",
"product": {
"name": "python311-tornado6-6.4-slfo.1.1_2.1.x86_64",
"product_id": "python311-tornado6-6.4-slfo.1.1_2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4-slfo.1.1_2.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.aarch64"
},
"product_reference": "python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4-slfo.1.1_2.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.ppc64le"
},
"product_reference": "python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4-slfo.1.1_2.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.s390x"
},
"product_reference": "python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4-slfo.1.1_2.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.x86_64"
},
"product_reference": "python311-tornado6-6.4-slfo.1.1_2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52804"
}
],
"notes": [
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52804",
"url": "https://www.suse.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "SUSE Bug 1233668 for CVE-2024-52804",
"url": "https://bugzilla.suse.com/1233668"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-06-24T08:53:22Z",
"details": "moderate"
}
],
"title": "CVE-2024-52804"
},
{
"cve": "CVE-2025-47287",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47287"
}
],
"notes": [
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library. When Tornado\u0027s ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47287",
"url": "https://www.suse.com/security/cve/CVE-2025-47287"
},
{
"category": "external",
"summary": "SUSE Bug 1243268 for CVE-2025-47287",
"url": "https://bugzilla.suse.com/1243268"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-06-24T08:53:22Z",
"details": "important"
}
],
"title": "CVE-2025-47287"
}
]
}
suse-su-2024:4137-1
Vulnerability from csaf_suse
Published
2024-12-02 12:28
Modified
2024-12-02 12:28
Summary
Security update for python-tornado6
Notes
Title of the patch
Security update for python-tornado6
Description of the patch
This update for python-tornado6 fixes the following issues:
- CVE-2024-52804: Fixed a denial of service caused by quadratic performance of cookie parsing (bsc#1233668)
Patchnames
SUSE-2024-4137,SUSE-SLE-Module-Python3-15-SP5-2024-4137,SUSE-SLE-Module-Python3-15-SP6-2024-4137,openSUSE-SLE-15.5-2024-4137,openSUSE-SLE-15.6-2024-4137
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-tornado6",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-tornado6 fixes the following issues:\n\n- CVE-2024-52804: Fixed a denial of service caused by quadratic performance of cookie parsing (bsc#1233668)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-4137,SUSE-SLE-Module-Python3-15-SP5-2024-4137,SUSE-SLE-Module-Python3-15-SP6-2024-4137,openSUSE-SLE-15.5-2024-4137,openSUSE-SLE-15.6-2024-4137",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_4137-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:4137-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20244137-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:4137-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019892.html"
},
{
"category": "self",
"summary": "SUSE Bug 1233668",
"url": "https://bugzilla.suse.com/1233668"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52804 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52804/"
}
],
"title": "Security update for python-tornado6",
"tracking": {
"current_release_date": "2024-12-02T12:28:43Z",
"generator": {
"date": "2024-12-02T12:28:43Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:4137-1",
"initial_release_date": "2024-12-02T12:28:43Z",
"revision_history": [
{
"date": "2024-12-02T12:28:43Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"product": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"product_id": "python311-tornado6-6.3.2-150400.9.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.3.2-150400.9.6.1.i586",
"product": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.i586",
"product_id": "python311-tornado6-6.3.2-150400.9.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"product": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"product_id": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.3.2-150400.9.6.1.s390x",
"product": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.s390x",
"product_id": "python311-tornado6-6.3.2-150400.9.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"product": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"product_id": "python311-tornado6-6.3.2-150400.9.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Python 3 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-python3:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Python 3 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Python 3 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-python3:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.aarch64 as component of SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.aarch64"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le as component of SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.ppc64le"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.s390x as component of SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.s390x"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.x86_64 as component of SUSE Linux Enterprise Module for Python 3 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.x86_64"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.aarch64 as component of SUSE Linux Enterprise Module for Python 3 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.aarch64"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le as component of SUSE Linux Enterprise Module for Python 3 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.ppc64le"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.s390x as component of SUSE Linux Enterprise Module for Python 3 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.s390x"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.x86_64 as component of SUSE Linux Enterprise Module for Python 3 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.x86_64"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.aarch64"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.ppc64le"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.s390x"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.x86_64"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.aarch64"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.ppc64le"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.s390x"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.3.2-150400.9.6.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.x86_64"
},
"product_reference": "python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52804"
}
],
"notes": [
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52804",
"url": "https://www.suse.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "SUSE Bug 1233668 for CVE-2024-52804",
"url": "https://bugzilla.suse.com/1233668"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1.x86_64",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.aarch64",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.ppc64le",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.s390x",
"openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-02T12:28:43Z",
"details": "moderate"
}
],
"title": "CVE-2024-52804"
}
]
}
fkie_cve-2024-52804
Vulnerability from fkie_nvd
Published
2024-11-22 16:15
Modified
2025-11-03 23:17
Severity ?
Summary
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/advisories/GHSA-7pwv-g7hj-39pr | Not Applicable | |
| security-advisories@github.com | https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 | Patch | |
| security-advisories@github.com | https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tornadoweb | tornado | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F76085D-6918-4959-959D-9B8A0DFD4724",
"versionEndExcluding": "6.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue."
},
{
"lang": "es",
"value": "Tornado es un framework web de Python y una librer\u00eda de redes asincr\u00f3nicas. El algoritmo utilizado para analizar las cookies HTTP en las versiones de Tornado anteriores a la 6.4.2 a veces tiene una complejidad cuadr\u00e1tica, lo que genera un consumo excesivo de CPU al analizar encabezados de cookies manipulado con fines malintencionados. Este an\u00e1lisis se produce en el hilo del bucle de eventos y puede bloquear el procesamiento de otras solicitudes. La versi\u00f3n 6.4.2 soluciona el problema."
}
],
"id": "CVE-2024-52804",
"lastModified": "2025-11-03T23:17:15.537",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-22T16:15:34.417",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Not Applicable"
],
"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
},
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CERTFR-2025-AVI-0563
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Splunk. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Splunk | Splunk Enterprise | Splunk Enterprise Cloud versions 9.3.2411.x antérieures à 9.3.2411.107 | ||
| Splunk | SOAR | Splunk SOAR versions antérieures à 6.4.1 | ||
| Splunk | Splunk Enterprise | Splunk Enterprise versions 9.4.x antérieures à 9.4.3 | ||
| Splunk | Universal Forwarder | Splunk Universal Forwarder versions 9.2.x antérieures à 9.2.7 | ||
| Splunk | Splunk Enterprise | Splunk Enterprise versions 9.3.x antérieures à 9.3.5 | ||
| Splunk | Splunk DB Connect | Splunk DB Connect versions antérieures à 4.0.0 | ||
| Splunk | Universal Forwarder | Splunk Universal Forwarder versions 9.3.x antérieures à 9.3.5 | ||
| Splunk | Universal Forwarder | Splunk Universal Forwarder versions 9.4.x antérieures à 9.4.3 | ||
| Splunk | Splunk Enterprise | Splunk Enterprise Cloud versions 9.3.2408.x antérieures à 9.3.2408.117 | ||
| Splunk | Splunk Enterprise | Splunk Enterprise versions 9.1.x antérieures à 9.1.10 | ||
| Splunk | Splunk Enterprise | Splunk Enterprise versions 9.2.x antérieures à 9.2.7 | ||
| Splunk | Splunk Enterprise | Splunk Enterprise Cloud versions 9.2.2406.x antérieures à 9.2.2406.121 | ||
| Splunk | Universal Forwarder | Splunk Universal Forwarder versions 9.1.x antérieures à 9.1.10 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Splunk Enterprise Cloud versions 9.3.2411.x ant\u00e9rieures \u00e0 9.3.2411.107",
"product": {
"name": "Splunk Enterprise",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk SOAR versions ant\u00e9rieures \u00e0 6.4.1",
"product": {
"name": "SOAR",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Enterprise versions 9.4.x ant\u00e9rieures \u00e0 9.4.3",
"product": {
"name": "Splunk Enterprise",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Universal Forwarder versions 9.2.x ant\u00e9rieures \u00e0 9.2.7",
"product": {
"name": "Universal Forwarder",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Enterprise versions 9.3.x ant\u00e9rieures \u00e0 9.3.5",
"product": {
"name": "Splunk Enterprise",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk DB Connect versions ant\u00e9rieures \u00e0 4.0.0",
"product": {
"name": "Splunk DB Connect",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Universal Forwarder versions 9.3.x ant\u00e9rieures \u00e0 9.3.5",
"product": {
"name": "Universal Forwarder",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Universal Forwarder versions 9.4.x ant\u00e9rieures \u00e0 9.4.3",
"product": {
"name": "Universal Forwarder",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Enterprise Cloud versions 9.3.2408.x ant\u00e9rieures \u00e0 9.3.2408.117",
"product": {
"name": "Splunk Enterprise",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Enterprise versions 9.1.x ant\u00e9rieures \u00e0 9.1.10",
"product": {
"name": "Splunk Enterprise",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Enterprise versions 9.2.x ant\u00e9rieures \u00e0 9.2.7",
"product": {
"name": "Splunk Enterprise",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Enterprise Cloud versions 9.2.2406.x ant\u00e9rieures \u00e0 9.2.2406.121",
"product": {
"name": "Splunk Enterprise",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Universal Forwarder versions 9.1.x ant\u00e9rieures \u00e0 9.1.10",
"product": {
"name": "Universal Forwarder",
"vendor": {
"name": "Splunk",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-9681",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9681"
},
{
"name": "CVE-2022-30187",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30187"
},
{
"name": "CVE-2024-12797",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12797"
},
{
"name": "CVE-2024-2466",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-2466"
},
{
"name": "CVE-2025-27414",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27414"
},
{
"name": "CVE-2025-20324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20324"
},
{
"name": "CVE-2025-23388",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23388"
},
{
"name": "CVE-2024-13176",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13176"
},
{
"name": "CVE-2025-20319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20319"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2023-5363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
},
{
"name": "CVE-2020-28458",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28458"
},
{
"name": "CVE-2025-20321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20321"
},
{
"name": "CVE-2024-45338",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
},
{
"name": "CVE-2025-20325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20325"
},
{
"name": "CVE-2024-11053",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11053"
},
{
"name": "CVE-2025-23387",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23387"
},
{
"name": "CVE-2024-7264",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7264"
},
{
"name": "CVE-2021-23445",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23445"
},
{
"name": "CVE-2024-48949",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48949"
},
{
"name": "CVE-2025-23389",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23389"
},
{
"name": "CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"name": "CVE-2022-35583",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35583"
},
{
"name": "CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"name": "CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"name": "CVE-2025-20300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20300"
},
{
"name": "CVE-2024-45801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
},
{
"name": "CVE-2024-45337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
},
{
"name": "CVE-2025-20323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20323"
},
{
"name": "CVE-2024-9143",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9143"
},
{
"name": "CVE-2024-38999",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38999"
},
{
"name": "CVE-2025-20320",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20320"
},
{
"name": "CVE-2024-2398",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-2398"
},
{
"name": "CVE-2024-45230",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45230"
},
{
"name": "CVE-2024-49767",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49767"
},
{
"name": "CVE-2024-47875",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47875"
},
{
"name": "CVE-2025-20322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20322"
},
{
"name": "CVE-2024-21272",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21272"
},
{
"name": "CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"name": "CVE-2024-8096",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8096"
},
{
"name": "CVE-2025-22870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
},
{
"name": "CVE-2024-39338",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
},
{
"name": "CVE-2024-21090",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21090"
},
{
"name": "CVE-2013-7489",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-7489"
},
{
"name": "CVE-2025-27789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
},
{
"name": "CVE-2025-0725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0725"
},
{
"name": "CVE-2024-34064",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34064"
},
{
"name": "CVE-2024-52616",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52616"
},
{
"name": "CVE-2024-0853",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0853"
},
{
"name": "CVE-2025-22952",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22952"
},
{
"name": "CVE-2024-32002",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32002"
},
{
"name": "CVE-2025-0167",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0167"
},
{
"name": "CVE-2024-6345",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
}
],
"initial_release_date": "2025-07-08T00:00:00",
"last_revision_date": "2025-07-08T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0563",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-08T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Splunk",
"vendor_advisories": [
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0708",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0708"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0703",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0703"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0701",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0701"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0706",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0706"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0705",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0705"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0702",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0702"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0712",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0712"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0711",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0711"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0707",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0707"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0710",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0710"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0709",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0709"
},
{
"published_at": "2025-07-07",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0704",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0704"
}
]
}
CERTFR-2025-AVI-0303
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Splunk. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Splunk | Splunk SDK for JavaScript | Splunk SDK for JavaScript versions antérieures à 2.0.1 | ||
| Splunk | Splunk Connect for Syslog | Splunk Connect for Syslog versions antérieures à 3.34.3 | ||
| Splunk | N/A | Splunk sans les derniers correctifs de sécurité |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Splunk SDK for JavaScript versions ant\u00e9rieures \u00e0 2.0.1",
"product": {
"name": "Splunk SDK for JavaScript",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk Connect for Syslog versions ant\u00e9rieures \u00e0 3.34.3",
"product": {
"name": "Splunk Connect for Syslog",
"vendor": {
"name": "Splunk",
"scada": false
}
}
},
{
"description": "Splunk sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "Splunk",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-47764",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47764"
},
{
"name": "CVE-2024-53899",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53899"
},
{
"name": "CVE-2024-52804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52804"
},
{
"name": "CVE-2022-2309",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2309"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2023-43804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
},
{
"name": "CVE-2020-28196",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28196"
},
{
"name": "CVE-2021-30560",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30560"
},
{
"name": "CVE-2024-39689",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39689"
},
{
"name": "CVE-2022-23491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23491"
}
],
"initial_release_date": "2025-04-10T00:00:00",
"last_revision_date": "2025-04-10T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0303",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-04-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Splunk",
"vendor_advisories": [
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0408",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0408"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0417",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0417"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0404",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0404"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0413",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0413"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0407",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0407"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0415",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0415"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0409",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0409"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0406",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0406"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0414",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0414"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0403",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0403"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0411",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0411"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0410",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0410"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0416",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0416"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0412",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0412"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0405",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0405"
}
]
}
ghsa-8w49-h785-mj3c
Vulnerability from github
Published
2024-11-22 20:26
Modified
2025-11-04 16:54
Severity ?
VLAI Severity ?
Summary
Tornado has an HTTP cookie parsing DoS vulnerability
Details
The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.
See also CVE-2024-7592 for a similar vulnerability in cpython.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.1"
},
"package": {
"ecosystem": "PyPI",
"name": "tornado"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52804"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-22T20:26:41Z",
"nvd_published_at": "2024-11-22T16:15:34Z",
"severity": "HIGH"
},
"details": "The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.\n\nSee also CVE-2024-7592 for a similar vulnerability in cpython.",
"id": "GHSA-8w49-h785-mj3c",
"modified": "2025-11-04T16:54:32Z",
"published": "2024-11-22T20:26:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804"
},
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533"
},
{
"type": "PACKAGE",
"url": "https://github.com/tornadoweb/tornado"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Tornado has an HTTP cookie parsing DoS vulnerability"
}
opensuse-su-2024:14528-1
Vulnerability from csaf_opensuse
Published
2024-11-26 00:00
Modified
2024-11-26 00:00
Summary
python310-tornado6-6.4.2-1.1 on GA media
Notes
Title of the patch
python310-tornado6-6.4.2-1.1 on GA media
Description of the patch
These are all security issues fixed in the python310-tornado6-6.4.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14528
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python310-tornado6-6.4.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python310-tornado6-6.4.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14528",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14528-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14528-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KECEA6QVDQMKX34TWO73YYIDDQZZ476N/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14528-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KECEA6QVDQMKX34TWO73YYIDDQZZ476N/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52804 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52804/"
}
],
"title": "python310-tornado6-6.4.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-11-26T00:00:00Z",
"generator": {
"date": "2024-11-26T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14528-1",
"initial_release_date": "2024-11-26T00:00:00Z",
"revision_history": [
{
"date": "2024-11-26T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python310-tornado6-6.4.2-1.1.aarch64",
"product": {
"name": "python310-tornado6-6.4.2-1.1.aarch64",
"product_id": "python310-tornado6-6.4.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-tornado6-6.4.2-1.1.aarch64",
"product": {
"name": "python311-tornado6-6.4.2-1.1.aarch64",
"product_id": "python311-tornado6-6.4.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-tornado6-6.4.2-1.1.aarch64",
"product": {
"name": "python312-tornado6-6.4.2-1.1.aarch64",
"product_id": "python312-tornado6-6.4.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-tornado6-6.4.2-1.1.aarch64",
"product": {
"name": "python313-tornado6-6.4.2-1.1.aarch64",
"product_id": "python313-tornado6-6.4.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-tornado6-6.4.2-1.1.ppc64le",
"product": {
"name": "python310-tornado6-6.4.2-1.1.ppc64le",
"product_id": "python310-tornado6-6.4.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-tornado6-6.4.2-1.1.ppc64le",
"product": {
"name": "python311-tornado6-6.4.2-1.1.ppc64le",
"product_id": "python311-tornado6-6.4.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-tornado6-6.4.2-1.1.ppc64le",
"product": {
"name": "python312-tornado6-6.4.2-1.1.ppc64le",
"product_id": "python312-tornado6-6.4.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-tornado6-6.4.2-1.1.ppc64le",
"product": {
"name": "python313-tornado6-6.4.2-1.1.ppc64le",
"product_id": "python313-tornado6-6.4.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-tornado6-6.4.2-1.1.s390x",
"product": {
"name": "python310-tornado6-6.4.2-1.1.s390x",
"product_id": "python310-tornado6-6.4.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-tornado6-6.4.2-1.1.s390x",
"product": {
"name": "python311-tornado6-6.4.2-1.1.s390x",
"product_id": "python311-tornado6-6.4.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-tornado6-6.4.2-1.1.s390x",
"product": {
"name": "python312-tornado6-6.4.2-1.1.s390x",
"product_id": "python312-tornado6-6.4.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-tornado6-6.4.2-1.1.s390x",
"product": {
"name": "python313-tornado6-6.4.2-1.1.s390x",
"product_id": "python313-tornado6-6.4.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-tornado6-6.4.2-1.1.x86_64",
"product": {
"name": "python310-tornado6-6.4.2-1.1.x86_64",
"product_id": "python310-tornado6-6.4.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-tornado6-6.4.2-1.1.x86_64",
"product": {
"name": "python311-tornado6-6.4.2-1.1.x86_64",
"product_id": "python311-tornado6-6.4.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-tornado6-6.4.2-1.1.x86_64",
"product": {
"name": "python312-tornado6-6.4.2-1.1.x86_64",
"product_id": "python312-tornado6-6.4.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-tornado6-6.4.2-1.1.x86_64",
"product": {
"name": "python313-tornado6-6.4.2-1.1.x86_64",
"product_id": "python313-tornado6-6.4.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-tornado6-6.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.aarch64"
},
"product_reference": "python310-tornado6-6.4.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-tornado6-6.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.ppc64le"
},
"product_reference": "python310-tornado6-6.4.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-tornado6-6.4.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.s390x"
},
"product_reference": "python310-tornado6-6.4.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-tornado6-6.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.x86_64"
},
"product_reference": "python310-tornado6-6.4.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.aarch64"
},
"product_reference": "python311-tornado6-6.4.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.ppc64le"
},
"product_reference": "python311-tornado6-6.4.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.s390x"
},
"product_reference": "python311-tornado6-6.4.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-tornado6-6.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.x86_64"
},
"product_reference": "python311-tornado6-6.4.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-tornado6-6.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.aarch64"
},
"product_reference": "python312-tornado6-6.4.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-tornado6-6.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.ppc64le"
},
"product_reference": "python312-tornado6-6.4.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-tornado6-6.4.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.s390x"
},
"product_reference": "python312-tornado6-6.4.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-tornado6-6.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.x86_64"
},
"product_reference": "python312-tornado6-6.4.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-tornado6-6.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.aarch64"
},
"product_reference": "python313-tornado6-6.4.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-tornado6-6.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.ppc64le"
},
"product_reference": "python313-tornado6-6.4.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-tornado6-6.4.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.s390x"
},
"product_reference": "python313-tornado6-6.4.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-tornado6-6.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.x86_64"
},
"product_reference": "python313-tornado6-6.4.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52804",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52804"
}
],
"notes": [
{
"category": "general",
"text": "Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52804",
"url": "https://www.suse.com/security/cve/CVE-2024-52804"
},
{
"category": "external",
"summary": "SUSE Bug 1233668 for CVE-2024-52804",
"url": "https://bugzilla.suse.com/1233668"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python310-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python311-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python312-tornado6-6.4.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:python313-tornado6-6.4.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-26T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-52804"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…