UBUNTU-CVE-2024-3574

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-3574

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-3574.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-3574

Related

CVE-2024-3574

Published

2024-04-16T00:15:00Z

Modified

2024-10-15T14:14:11Z

Summary

[none]

Details

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.

References

Affected packages

Ubuntu:Pro:16.04:LTS / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/ubuntu/python-scrapy?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0-1

1.0.3-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/ubuntu/python-scrapy?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.0-1~exp2

1.4.0-1

1.5.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/ubuntu/python-scrapy?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.3-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/ubuntu/python-scrapy?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.1-2

2.5.1-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/ubuntu/python-scrapy?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.11.1-1",
            "binary_name": "python-scrapy-doc"
        },
        {
            "binary_version": "2.11.1-1",
            "binary_name": "python3-scrapy"
        }
    ]
}

Ubuntu:24.04:LTS / python-scrapy

Package

Name: python-scrapy
Purl: pkg:deb/ubuntu/python-scrapy?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Affected versions

2.*

2.10.0-1

2.11.0-1

2.11.0-2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.11.1-1",
            "binary_name": "python-scrapy-doc"
        },
        {
            "binary_version": "2.11.1-1",
            "binary_name": "python3-scrapy"
        }
    ]
}