2328045 – (CVE-2024-52804) CVE-2024-52804 python-tornado: Tornado has HTTP cookie parsing DoS vulnerability

Bug 2328045 (CVE-2024-52804) - CVE-2024-52804 python-tornado: Tornado has HTTP cookie parsing DoS vulnerability

Summary: CVE-2024-52804 python-tornado: Tornado has HTTP cookie parsing DoS vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2024-52804
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2328098 2328099 2328100 2328101 2367421
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-22 16:01 UTC by OSIDB Bzimport
Modified:	2025-05-20 04:52 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:10590	None	None	None	2024-12-02 01:27:11 UTC
Red Hat Product Errata	RHSA-2024:10836	None	None	None	2024-12-05 10:15:58 UTC
Red Hat Product Errata	RHSA-2024:10843	None	None	None	2024-12-05 11:21:23 UTC
Red Hat Product Errata	RHSA-2025:2470	None	None	None	2025-03-10 01:01:16 UTC
Red Hat Product Errata	RHSA-2025:2471	None	None	None	2025-03-10 01:01:13 UTC
Red Hat Product Errata	RHSA-2025:2550	None	None	None	2025-03-10 18:45:20 UTC
Red Hat Product Errata	RHSA-2025:2872	None	None	None	2025-03-17 01:33:30 UTC
Red Hat Product Errata	RHSA-2025:2955	None	None	None	2025-03-17 16:09:20 UTC
Red Hat Product Errata	RHSA-2025:2956	None	None	None	2025-03-17 16:09:28 UTC
Red Hat Product Errata	RHSA-2025:3108	None	None	None	2025-03-24 10:37:37 UTC
Red Hat Product Errata	RHSA-2025:3109	None	None	None	2025-03-24 10:37:27 UTC

Description OSIDB Bzimport 2024-11-22 16:01:07 UTC

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

Comment 2 errata-xmlrpc 2024-12-02 01:27:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10590 https://access.redhat.com/errata/RHSA-2024:10590

Comment 3 errata-xmlrpc 2024-12-05 10:15:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:10836 https://access.redhat.com/errata/RHSA-2024:10836

Comment 4 errata-xmlrpc 2024-12-05 11:21:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:10843 https://access.redhat.com/errata/RHSA-2024:10843

Comment 5 errata-xmlrpc 2025-03-10 01:01:13 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:2471 https://access.redhat.com/errata/RHSA-2025:2471

Comment 6 errata-xmlrpc 2025-03-10 01:01:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:2470 https://access.redhat.com/errata/RHSA-2025:2470

Comment 7 errata-xmlrpc 2025-03-10 18:45:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:2550 https://access.redhat.com/errata/RHSA-2025:2550

Comment 8 errata-xmlrpc 2025-03-17 01:33:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:2872 https://access.redhat.com/errata/RHSA-2025:2872

Comment 10 errata-xmlrpc 2025-03-17 16:09:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:2955 https://access.redhat.com/errata/RHSA-2025:2955

Comment 11 errata-xmlrpc 2025-03-17 16:09:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:2956 https://access.redhat.com/errata/RHSA-2025:2956

Comment 12 errata-xmlrpc 2025-03-24 10:37:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:3109 https://access.redhat.com/errata/RHSA-2025:3109

Comment 13 errata-xmlrpc 2025-03-24 10:37:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3108 https://access.redhat.com/errata/RHSA-2025:3108

Note You need to log in before you can comment on or make changes to this bug.