CVE-2021-41124 – scrapy-splash
Package
Manager: pip
Name: scrapy-splash
Vulnerable Version: >=0 <0.8.0
Severity
Level: High
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
EPSS: 0.00284 pctl0.51337
Details
Splash authentication credentials potentially leaked to target websites ### Impact If you use [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth) (i.e. the `http_user` and `http_pass` spider attributes) for Splash authentication, any non-Splash request will expose your credentials to the request target. This includes `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`. ### Patches Upgrade to scrapy-splash 0.8.0 and use the new `SPLASH_USER` and `SPLASH_PASS` settings instead to set your Splash authentication credentials safely. ### Workarounds If you cannot upgrade, set your Splash request credentials on a per-request basis, [using the `splash_headers` request parameter](https://github.com/scrapy-plugins/scrapy-splash/tree/0.8.x#http-basic-auth), instead of defining them globally using the [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth). Alternatively, make sure all your requests go through Splash. That includes disabling the [robots.txt middleware](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#topics-dlmw-robots). ### For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/scrapy-plugins/scrapy-splash/issues) * [Email us](mailto:opensource@zyte.com)
Metadata
Created: 2021-10-06T17:49:23Z
Modified: 2024-10-26T22:52:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-823f-cwm9-4g74/GHSA-823f-cwm9-4g74.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-823f-cwm9-4g74
Finding: F017
Auto approve: 1