GHSA-rmqv-7v3j-mr7p – scrapy

Package

Manager: pip
Name: scrapy
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate Advisory: Scrapy decompression bomb vulnerability ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7j7m-v7m3-jqm7. This link is maintained to preserve external references. ## Original Description The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Metadata

Created: 2024-04-16T00:30:34Z
Modified: 2024-04-16T14:04:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-rmqv-7v3j-mr7p/GHSA-rmqv-7v3j-mr7p.json
CWE IDs: ["CWE-409"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0