GHSA-cc65-xxvf-f7r9

Source

https://github.com/advisories/GHSA-cc65-xxvf-f7r9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-cc65-xxvf-f7r9/GHSA-cc65-xxvf-f7r9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cc65-xxvf-f7r9

Aliases

CVE-2024-1892

Published

2024-02-15T15:22:02Z

Modified

2024-04-16T16:27:42.839584Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Scrapy vulnerable to ReDoS via XMLFeedSpider

Details

Impact

The following parts of the Scrapy API were found to be vulnerable to a ReDoS attack:

The XMLFeedSpider class or any subclass that uses the default node iterator: iternodes, as well as direct uses of the scrapy.utils.iterators.xmliter function.
Scrapy 2.6.0 to 2.11.0: The open_in_browser function for a response without a base tag.

Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.

Patches

Upgrade to Scrapy 2.11.1.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.

Workarounds

For XMLFeedSpider, switch the node iterator to xml or html.

For open_in_browser, before using the function, either manually review the response content to discard a ReDos attack or manually define the base tag to avoid its automatic definition by open_in_browser later.

Acknowledgements

This security issue was reported by @nicecatch2000 through huntr.com.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-1333"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-15T15:22:02Z"
}

References

Affected packages

PyPI / scrapy

Package

Name: scrapy; View open source insights on deps.dev
Purl: pkg:pypi/scrapy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2

Fixed

2.11.1

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.8.0

2.9.0

2.10.0

2.10.1

2.11.0

PyPI / scrapy

Package

Name: scrapy; View open source insights on deps.dev
Purl: pkg:pypi/scrapy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.4

Affected versions

0.*

0.7

0.8

0.9

0.10.4.2364

0.12.0.2550

0.14.1

0.14.2

0.14.3

0.14.4

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.20.0

0.20.1

0.20.2

0.22.0

0.22.1

0.22.2

0.24.0

0.24.1

0.24.2

0.24.3

0.24.4

0.24.5

0.24.6

1.*

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0rc1

1.1.0rc2

1.1.0rc3

1.1.0rc4

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.2.0

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.8.0

1.8.1

1.8.2

1.8.3