logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-0577 scrapy

Package

Manager: pip
Name: scrapy
Vulnerable Version: >=0 <1.8.2 || >=2.0.0 <2.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00145 pctl0.35423

Details

Incorrect Authorization and Exposure of Sensitive Information to an Unauthorized Actor in scrapy ### Impact If you manually define cookies on a [`Request`](https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request) object, and that `Request` object gets a redirect response, the new `Request` object scheduled to follow the redirect keeps those user-defined cookies, regardless of the target domain. ### Patches Upgrade to Scrapy 2.6.0, which resets cookies when creating `Request` objects to follow redirects¹, and drops the ``Cookie`` header if manually-defined if the redirect target URL domain name does not match the source URL domain name². If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead. ¹ At that point the original, user-set cookies have been processed by the cookie middleware into the global or request-specific cookiejar, with their domain restricted to the domain of the original URL, so when the cookie middleware processes the new (redirect) request it will incorporate those cookies into the new request as long as the domain of the new request matches the domain of the original request. ² This prevents cookie leaks to unintended domains even if the cookies middleware is not used. ### Workarounds If you cannot upgrade, set your cookies using a list of dictionaries instead of a single dictionary, as described in the [`Request` documentation](https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request), and set the right domain for each cookie. Alternatively, you can [disable cookies altogether](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#std-setting-COOKIES_ENABLED), or [limit target domains](https://docs.scrapy.org/en/latest/topics/spiders.html#scrapy.spiders.Spider.allowed_domains) to domains that you trust with all your user-set cookies. ### References * Originally reported at [huntr.dev](https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585/) ### For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/scrapy/scrapy/issues) * [Email us](mailto:opensource@zyte.com)

Metadata

Created: 2022-03-01T22:12:47Z
Modified: 2024-10-22T16:37:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-cjvr-mfj7-j4j8/GHSA-cjvr-mfj7-j4j8.json
CWE IDs: ["CWE-200", "CWE-863"]
Alternative ID: GHSA-cjvr-mfj7-j4j8
Finding: F308
Auto approve: 1