CVE-2024-1968 – scrapy

Package

Manager: pip
Name: scrapy
Vulnerable Version: >=0 <2.11.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00223 pctl0.44862

Details

Scrapy leaks the authorization header on same-domain but cross-origin redirects ### Impact Since version 2.11.1, Scrapy drops the `Authorization` header when a request is redirected to a different domain. However, it keeps the header if the domain remains the same but the scheme (http/https) or the port change, all scenarios where the header should also be dropped. In the context of a man-in-the-middle attack, this could be used to get access to the value of that `Authorization` header ### Patches Upgrade to Scrapy 2.11.2. ### Workarounds There is no easy workaround for unpatched versions of Scrapy. You can replace the built-in redirect middlewares with custom ones patched for this issue, but you have to patch them yourself, manually. ### References This security issue was reported and fixed by @szarny at https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a/.

Metadata

Created: 2024-05-14T20:14:33Z
Modified: 2024-05-20T20:22:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4qqq-9vqf-3h3f/GHSA-4qqq-9vqf-3h3f.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-4qqq-9vqf-3h3f
Finding: F017
Auto approve: 1