Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
Vulnerability Description
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
对高度压缩数据的处理不恰当(数据放大攻击)
Vulnerability Title
Tornado 资源管理错误漏洞
Vulnerability Description
Tornado是中国Tornado团队的一款异步网络编程框架。 Tornado 6.5.6之前版本存在资源管理错误漏洞,该漏洞源于gzip解压缩例程未对累计解压块设置整体限制,可能导致恶意服务器消耗无限内存。
CVSS Information
N/A
Vulnerability Type
N/A