CVE-2012-2374: Tornado CRLF injection vulnerability

May 17, 2022 (updated November 18, 2024)

CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.

References

github.com/advisories/GHSA-f7fv-v9rh-prvc
github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2012-5.yaml
github.com/tornadoweb/tornado
github.com/tornadoweb/tornado/commit/1ae91f6d58e6257e0ab49d295d8741ce1727bdb7
nvd.nist.gov/vuln/detail/CVE-2012-2374
web.archive.org/web/20140720192646/http://secunia.com/advisories/49185
web.archive.org/web/20200229124524/http://www.securityfocus.com/bid/53612

Code Behaviors & Features

Detect and mitigate CVE-2012-2374 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →