6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2014-9720

GHSA ID

GHSA-8vpw-mgpf-mpvv

EPSS Score

0.74916%

CWE

CWE-203

Published

5/17/2022

Updated

11/13/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-9720

CVE-2014-9720: Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)

Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2014-9720

CVE-2014-9720:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2014-9720

GHSA ID

GHSA-8vpw-mgpf-mpvv

EPSS Score

0.74916%

CWE

CWE-203

Published

5/17/2022

Updated

11/13/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tornado	pip	< 3.2.2	3.2.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from Tornado's XSRF token generation being predictable and static across requests. The pre-3.2.2 implementation in xsrf_token() generated a fixed token (using os.urandom(16) only once per cookie lifetime) and sent it without masking. This allowed BREACH attackers to exploit HTTP compression patterns. The commit 1c36307 introduced masking with a random salt in xsrf_token(), and the test changes in web_test.py confirm the token uniqueness requirement. The CWE-203 (Observable Discrepancy) aligns with the predictable token pattern enabling side-channel attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2014-9720: Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)

CVE-2014-9720:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2014-9720: Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

6.5

6.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI