Description
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
Remediation
References
Related Vulnerabilities
Joomla! Core 3.x.x Directory Traversal (3.2.0 - 3.4.5)
MySQL CVE-2022-21632 Vulnerability (CVE-2022-21632)
WordPress 6.2.x Shortcode Execution (6.2 - 6.2.1)
Oracle HTTP Server NULL Pointer Dereference Vulnerability (CVE-2020-1971)
ownCloud Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-1850)