PYSEC-2024-162
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/scrapy/PYSEC-2024-162.yaml
- JSON Data
- https://api.test.osv.dev/v1/vulns/PYSEC-2024-162
- Aliases
- Published
- 2024-02-28T00:15:53Z
- Modified
- 2025-01-14T05:56:55.289794Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
- References
Affected packages
PyPI / scrapy
Package
- Name
- scrapy
- View open source insights on deps.dev
- Purl
- pkg:pypi/scrapy
Affected ranges
- Type
- GIT
- Repo
- https://github.com/scrapy/scrapy
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.11.1
Affected versions
0.*
0.7
0.8
0.9
0.10.4.2364
0.12.0.2550
0.14.1
0.14.2
0.14.3
0.14.4
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.20.0
0.20.1
0.20.2
0.22.0
0.22.1
0.22.2
0.24.0
0.24.1
0.24.2
0.24.3
0.24.4
0.24.5
0.24.6
1.*
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0rc1
1.1.0rc2
1.1.0rc3
1.1.0rc4
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.7.1
2.8.0
2.9.0
2.10.0
2.10.1
2.11.0