CVE-2021-41124

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-41124
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41124.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-41124
Aliases
Related
Published
2021-10-05T21:15:09.590Z
Modified
2026-02-05T06:31:47.386530Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use <code>HttpAuthMiddleware</code> (i.e. the http_user and http_pass spider attributes) for Splash authentication will have any non-Splash request expose your credentials to the request target. This includes robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True. Upgrade to scrapy-splash 0.8.0 and use the new SPLASH_USER and SPLASH_PASS settings instead to set your Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis, using the <code>splash_headers</code> request parameter, instead of defining them globally using the <code>HttpAuthMiddleware</code>. Alternatively, make sure all your requests go through Splash. That includes disabling the robots.txt middleware.

References

Affected packages

Git / github.com/scrapy-plugins/scrapy-splash

Affected ranges

Type
GIT
Repo
https://github.com/scrapy-plugins/scrapy-splash
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2b253e57fe64ec575079c8cdc99fe2013502ea31

Affected versions

0.*
0.1
0.1.1
0.2
0.3
0.4
0.5
0.6
0.6.1
0.7
0.7.1
0.7.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41124.json"