All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones. Reference: https://snyk.io/vuln/SNYK-PYTHON-TORNADO-1017109
Created python-tornado tracking bugs for this issue: Affects: epel-8 [bug 1926770] Affects: fedora-all [bug 1926769]
Created python3-tornado tracking bugs for this issue: Affects: epel-all [bug 1928196]
External References: https://snyk.io/vuln/SNYK-PYTHON-TORNADO-1017109
This CVE was rejected by upstream. See at CVE-2021-23336.