CVE-2012-2374: Input Validation

Q: What is the severity of CVE-2012-2374?

CVE-2012-2374 is classified as a high severity vulnerability due to its potential for HTTP response splitting attacks.

Q: How do I fix CVE-2012-2374?

To fix CVE-2012-2374, upgrade Tornado to version 2.2.1 or later.

Q: Which versions of Tornado are affected by CVE-2012-2374?

CVE-2012-2374 affects Tornado versions before 2.2.1, including 1.0 to 2.1.1.

Q: What type of attacks can be conducted using CVE-2012-2374?

CVE-2012-2374 allows remote attackers to perform HTTP response splitting attacks and inject arbitrary HTTP headers.

Q: Who is vulnerable to CVE-2012-2374?

Any application using affected versions of Tornado prior to 2.2.1 is vulnerable to CVE-2012-2374.

Published May 23, 2012

Updated

CRLF injection vulnerability in the tornado.web.RequestHandler.setheader function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.

Other sources

Affected Software

11 affected componentsFixes available

pip/tornado<2.2.1

2.2.1

tornadoweb tornado<=2.2

tornadoweb tornado=1.0

tornadoweb tornado=1.0.1

tornadoweb tornado=1.1

tornadoweb tornado=1.1.1

tornadoweb tornado=1.2

tornadoweb tornado=1.2.1

tornadoweb tornado=2.0

tornadoweb tornado=2.1

tornadoweb tornado=2.1.1

Event History

May 23, 2012

CVE Published

via MITRE·08:00 PM

Data Sourced

via MITRE·08:00 PM

Description

May 17, 2022

Advisory Published

via GitHub·05:23 AM

Frequently Asked Questions

What is the severity of CVE-2012-2374?

CVE-2012-2374 is classified as a high severity vulnerability due to its potential for HTTP response splitting attacks.

How do I fix CVE-2012-2374?

To fix CVE-2012-2374, upgrade Tornado to version 2.2.1 or later.

Which versions of Tornado are affected by CVE-2012-2374?

CVE-2012-2374 affects Tornado versions before 2.2.1, including 1.0 to 2.1.1.

What type of attacks can be conducted using CVE-2012-2374?