58546 – CVE-2023-28370 – Tornado Web Server Vulnerability in UCS 5.0-10

Bug 58546 - CVE-2023-28370 – Tornado Web Server Vulnerability in UCS 5.0-10

Summary: CVE-2023-28370 – Tornado Web Server Vulnerability in UCS 5.0-10

Status:	RESOLVED INVALID

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.0-10-errata
Assignee:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-08-27 10:36 CEST by Mirac Erdemiroglu
Modified:	2025-08-27 16:18 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2025082721000037
Bug group (optional):	Security
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Mirac Erdemiroglu

2025-08-27 10:39:08 CEST

Product: Univention Corporate Server
Version: 5.0-10
Component: Tornado Web Server - python-tornado 5.1.1-4+deb10u2A~5.0.10.202506302340
Severity: Security

Summary: CVE-2023-28370 – Tornado vulnerability (max\_body\_size bypass) affects UCS 5.0-10

Description:

1. Summary
CVE-2023-28370 is a security vulnerability in Tornado Web Server versions prior to 6.3.3, allowing the bypass of the max\_body\_size limit when using chunked transfer encoding. This may lead to uncontrolled memory consumption and denial-of-service (DoS) conditions.

2. Affected Product
Univention Corporate Server (UCS) 5.0-10
Tornado version: 5.1.1 (affected)

3. Fixed in
UCS 5.2 (includes a patched Tornado version)

4. Impact
Attackers may exploit this flaw by sending specially crafted HTTP requests with chunked transfer encoding, potentially leading to memory exhaustion and service disruption.

5. Details
According to Debian Security Tracker – CVE-2023-28370: https://security-tracker.debian.org/tracker/CVE-2023-28370, Tornado does not properly enforce max\_body\_size limits during chunked transfer processing, allowing clients to bypass configured restrictions.

6. Expected Behavior
Tornado should enforce max\_body\_size limits regardless of the transfer encoding used.

7. Actual Behavior
The limit is not enforced under certain conditions, creating a potential DoS vector.

8. Request for Action
This vulnerability has already been resolved in UCS 5.2. However, UCS 5.0-10 still ships with Tornado 5.1.1, which is affected.
A backport of the security fix for Tornado is required for UCS 5.0-10.
The updated package should be provided via the UCS 5.0 maintenance channels to ensure long-term support compliance.

9. References
CVE-2023-28370: https://security-tracker.debian.org/tracker/CVE-2023-28370

Comment 2 Florian Best

2025-08-27 10:51:30 CEST

CVE-2023-28370 is "Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL." (in StaticFileHandler) and not "Tornado vulnerability (max\_body\_size bypass)".

Please set the correct CVE. And set the Max CVSS v3 score.

Comment 3 Arvid Requate

2025-08-27 16:11:53 CEST

Can be closed as duplicate of the fixed Bug #57918.

https://deb.freexian.com/extended-lts/tracker/CVE-2023-28370

*** This bug has been marked as a duplicate of bug 57918 ***

Comment 4 Arvid Requate

2025-08-27 16:18:50 CEST

Ah, wrong bug, this is the right one for 5.0-x: Bug #57850