GHSA-cw9j-q3vf-hrrv

Source

https://github.com/advisories/GHSA-cw9j-q3vf-hrrv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-cw9j-q3vf-hrrv/GHSA-cw9j-q3vf-hrrv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cw9j-q3vf-hrrv

Aliases

CVE-2024-3574

Published

2024-02-15T15:32:15Z

Modified

2024-04-16T14:27:01.361528Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Scrapy authorization header leakage on cross-domain redirect

Details

Impact

When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.

The right behavior would be to drop the Authorization header instead, in this scenario.

Patches

Upgrade to Scrapy 2.11.1.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.

Workarounds

If you cannot upgrade, make sure that you are not using the Authentication header, either directly or through some third-party plugin.

If you need to use that header in some requests, add "dont_redirect": True to the request.meta dictionary of those requests to disable following redirects for them.

If you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.

Acknowledgements

This security issue was reported by @ranjit-git through huntr.com.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-15T15:32:15Z"
}

References

Affected packages

PyPI / scrapy

Package

Name: scrapy; View open source insights on deps.dev
Purl: pkg:pypi/scrapy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2

Fixed

2.11.1

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.8.0

2.9.0

2.10.0

2.10.1

2.11.0

PyPI / scrapy

Package

Name: scrapy; View open source insights on deps.dev
Purl: pkg:pypi/scrapy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.4

Affected versions

0.*

0.7

0.8

0.9

0.10.4.2364

0.12.0.2550

0.14.1

0.14.2

0.14.3

0.14.4

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.20.0

0.20.1

0.20.2

0.22.0

0.22.1

0.22.2

0.24.0

0.24.1

0.24.2

0.24.3

0.24.4

0.24.5

0.24.6

1.*

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0rc1

1.1.0rc2

1.1.0rc3

1.1.0rc4

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.2.0

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.8.0

1.8.1

1.8.2

1.8.3