Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2014-9720

CVE-2014-9720:
Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)

6.5

CVSS Score

Basic Information

CVE ID
CVE-2014-9720
GHSA ID
GHSA-8vpw-mgpf-mpvv
EPSS Score
-
CWE
CWE-203
Published
5/17/2022
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tornadopip< 3.2.23.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Tornado's XSRF token generation being predictable and static across requests. The pre-3.2.2 implementation in xsrf_token() generated a fixed token (using os.urandom(16) only once per cookie lifetime) and sent it without masking. This allowed BREACH attackers to exploit HTTP compression patterns. The commit 1c36307 introduced masking with a random salt in xsrf_token(), and the test changes in web_test.py confirm the token uniqueness requirement. The CWE-203 (Observable Discrepancy) aligns with the predictable token pattern enabling side-channel attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Torn**o ***or* *.*.* s*n*s *r*itr*ry r*spons*s t**t *ont*in * *ix** *SR* tok*n *n* m*y ** s*nt wit* *TTP *ompr*ssion, w*i** m*k*s it **si*r *or r*mot* *tt**k*rs to *on*u*t * *R**** *tt**k *n* **t*rmin* t*is tok*n vi* * s*ri*s o* *r**t** r*qu*sts.

Reasoning

T** vuln*r**ility st*mm** *rom Torn**o's XSR* tok*n **n*r*tion **in* pr**i*t**l* *n* st*ti* **ross r*qu*sts. T** pr*-*.*.* impl*m*nt*tion in `xsr*_tok*n()` **n*r*t** * *ix** tok*n (usin* `os.ur*n*om(**)` only on** p*r *ooki* li**tim*) *n* s*nt it wit