Executive Summary

This vulnerability in Tornado versions before 6.5.5 involves cookie attribute injection due to insufficient validation of the domain, path, and samesite arguments in the RequestHandler.set_cookie method.

Attackers could exploit this by including crafted characters, such as semicolons, in these cookie attributes, allowing them to inject unauthorized or malicious cookie attributes.

This improper handling of special characters corresponds to CWE-74, which is about improper neutralization of special elements used by downstream components, leading to injection vulnerabilities.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized manipulation of cookie attributes, potentially allowing attackers to alter cookie behavior or inject malicious values.

This can result in confidentiality and integrity losses, such as session hijacking or bypassing security controls that rely on cookie attributes.

The CVSS v3.1 base score is 7.2, indicating a high severity with network attack vector, no privileges required, and no user interaction needed.

However, the impact does not affect availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves injection of crafted characters into cookie attributes (domain, path, samesite) via the Tornado RequestHandler.set_cookie method. Detection would involve monitoring HTTP responses for cookies with suspicious or malformed attribute values, such as unexpected semicolons or special characters in these fields.

You can inspect HTTP traffic using tools like curl, tcpdump, or Wireshark to capture and analyze cookies set by Tornado-based applications.

• Use curl to view cookies and their attributes from a server response: curl -i http://yourserver/endpoint
• Use tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -A -s 0 'tcp port 80 or tcp port 443'
• Use Wireshark to filter HTTP Set-Cookie headers and inspect cookie attributes for suspicious characters.

Look specifically for cookies where the domain, path, or samesite attributes contain semicolons or other illegal characters that could indicate injection attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Tornado to version 6.5.5 or later, where the vulnerability has been fixed by validating the domain, path, and samesite arguments in the set_cookie method to prevent injection of illegal characters.

If upgrading immediately is not possible, consider disabling multipart/form-data parsing if your application does not require it, as this reduces exposure to related request-based attacks.

Additionally, review and sanitize any user input that might be used in cookie attributes to prevent injection of crafted characters.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Tornado before version 6.5.5 allows cookie attribute injection due to improper validation of cookie attributes such as domain, path, and samesite. This could lead to manipulation of cookie attributes, potentially impacting the confidentiality and integrity of user session data.

Such manipulation of cookies can undermine security controls that are critical for compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data. Improper cookie handling may lead to unauthorized access or data leakage, thereby affecting compliance with these regulations.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Useful 0 Not Useful 0