CVE-2024-1892

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-1892

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1892.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-1892

Aliases

GHSA-cc65-xxvf-f7r9

Related

Published

2024-02-28T00:15:53Z

Modified

2024-10-12T11:16:19.347229Z

Summary

[none]

Details

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.

References

Affected packages

Debian:11 / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/debian/python-scrapy?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.1-2

2.4.1-2+deb11u1

2.5.0-1~exp1

2.5.0-1

2.5.0-2

2.5.1-1

2.5.1-2

2.6.1-1

2.6.2-1

2.7.0-1

2.7.1-1

2.8.0-1

2.8.0-2

2.9.0-1~exp1

2.9.0-1

2.9.0-2

2.10.0-1

2.11.0-1

2.11.0-2

2.11.1-1

2.11.1-2

2.11.2-1

2.11.2-2

2.11.2-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/debian/python-scrapy?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.8.0-2

2.9.0-1~exp1

2.9.0-1

2.9.0-2

2.10.0-1

2.11.0-1

2.11.0-2

2.11.1-1

2.11.1-2

2.11.2-1

2.11.2-2

2.11.2-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/debian/python-scrapy?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Affected versions

2.*

2.8.0-2

2.9.0-1~exp1

2.9.0-1

2.9.0-2

2.10.0-1

2.11.0-1

2.11.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/scrapy/scrapy

Affected ranges

Type: GIT
Repo: https://github.com/scrapy/scrapy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

479619b340f197a8f24c5db45bc068fb8755f2c5

Affected versions

0.*

0.10

0.10-rc1

0.10.1

0.10.2

0.10.3

0.14.0

0.15.0

0.15.1

0.17.0

0.18.0

0.19.0

0.21.0

0.23.0

0.24.0

0.25.0

0.25.1

0.7

0.7-rc1

0.8

0.9

0.9-rc1

1.*

1.0.0rc1

1.2.0

1.2.0dev2

1.2.1

1.2.2

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0

1.6.0

1.7.0

1.8.0

2.*

2.0.0

2.1.0

2.10.0

2.10.1

2.11.0

2.2.0

2.3.0

2.4.0

2.4.1

2.5.0

2.6.0

2.6.1

2.6.2

2.7.0

2.7.1

2.8.0

2.9.0

Other

hojo

scrapy-0.*

scrapy-0.25.1-sc