Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/scrapy@2.11.1
Typepypi
Namespace
Namescrapy
Version2.11.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.11.2
Latest_non_vulnerable_version2.14.2
Affected_by_vulnerabilities
0
url VCID-n6z2-awrh-7kbg
vulnerability_id VCID-n6z2-awrh-7kbg
summary In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.
references
0
reference_url https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8
reference_id
reference_type
scores
url https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8
1
reference_url https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a
reference_id
reference_type
scores
url https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a
fixed_packages
0
url pkg:pypi/scrapy@2.11.2
purl pkg:pypi/scrapy@2.11.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.2
aliases CVE-2024-1968, PYSEC-2024-258
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n6z2-awrh-7kbg
Fixing_vulnerabilities
0
url VCID-42hv-czj8-hybb
vulnerability_id VCID-42hv-czj8-hybb
summary 
Scrapy authorization header leakage on cross-domain redirect
### Impact

When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain.

The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario.

### Patches

Upgrade to Scrapy 2.11.1.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.

### Workarounds

If you cannot upgrade, make sure that you are not using the `Authentication` header, either directly or through some third-party plugin.

If you need to use that header in some requests, add `"dont_redirect": True` to the `request.meta` dictionary of those requests to disable following redirects for them.

If you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.

### Acknowledgements

This security issue was reported by @ranjit-git [through huntr.com](https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9/).
references
0
reference_url https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae
reference_id
reference_type
scores
url https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae
1
reference_url https://github.com/advisories/GHSA-cw9j-q3vf-hrrv
reference_id GHSA-cw9j-q3vf-hrrv
reference_type
scores
url https://github.com/advisories/GHSA-cw9j-q3vf-hrrv
2
reference_url https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv
reference_id GHSA-cw9j-q3vf-hrrv
reference_type
scores
url https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv
fixed_packages
0
url pkg:pypi/scrapy@1.8.4
purl pkg:pypi/scrapy@1.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-atnw-pnvj-zkhp
1
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.4
1
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases GHSA-cw9j-q3vf-hrrv, GMS-2024-288
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-42hv-czj8-hybb
1
url VCID-atnw-pnvj-zkhp
vulnerability_id VCID-atnw-pnvj-zkhp
summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
references
0
reference_url https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
1
reference_url https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065111
reference_id 1065111
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065111
fixed_packages
0
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases CVE-2024-1892, PYSEC-2024-162
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-atnw-pnvj-zkhp
2
url VCID-eps3-2rkz-r3gf
vulnerability_id VCID-eps3-2rkz-r3gf
summary 
Scrapy decompression bomb vulnerability
### Impact

Scrapy limits allowed response sizes by default through the [`DOWNLOAD_MAXSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html#download-maxsize) and [`DOWNLOAD_WARNSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html#download-warnsize) settings.

However, those limits were only being enforced during the download of the raw, usually-compressed response bodies, and not during decompression, making Scrapy vulnerable to [decompression bombs](https://cwe.mitre.org/data/definitions/409.html).

A malicious website being scraped could send a small response that, on decompression, could exhaust the memory available to the Scrapy process, potentially affecting any other process sharing that memory, and affecting disk usage in case of uncompressed response caching.

### Patches

Upgrade to Scrapy 2.11.1.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.

### Workarounds

There is no easy workaround.

Disabling HTTP decompression altogether is impractical, as HTTP compression is a rather common practice.

However, it is technically possible to manually backport the 2.11.1 or 1.8.4 fix, replacing the corresponding components of an unpatched version of Scrapy with patched versions copied into your own code.

### Acknowledgements

This security issue was reported by @dmandefy [through huntr.com](https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb/).
references
0
reference_url https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
reference_id
reference_type
scores
url https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
1
reference_url https://github.com/scrapy/scrapy/commit/71b8741e3607cfda2833c7624d4ada87071aa8e5
reference_id
reference_type
scores
url https://github.com/scrapy/scrapy/commit/71b8741e3607cfda2833c7624d4ada87071aa8e5
2
reference_url https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
reference_id
reference_type
scores
url https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
3
reference_url https://github.com/advisories/GHSA-7j7m-v7m3-jqm7
reference_id GHSA-7j7m-v7m3-jqm7
reference_type
scores
url https://github.com/advisories/GHSA-7j7m-v7m3-jqm7
4
reference_url https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7
reference_id GHSA-7j7m-v7m3-jqm7
reference_type
scores
url https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7
fixed_packages
0
url pkg:pypi/scrapy@1.8.4
purl pkg:pypi/scrapy@1.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-atnw-pnvj-zkhp
1
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.4
1
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases GHSA-7j7m-v7m3-jqm7, GMS-2024-327
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eps3-2rkz-r3gf
3
url VCID-rbs9-h2ay-qybj
vulnerability_id VCID-rbs9-h2ay-qybj
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://github.com/scrapy/scrapy
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy
1
reference_url https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
2
reference_url https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-3572
reference_id CVE-2024-3572
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-3572
4
reference_url https://github.com/advisories/GHSA-rmqv-7v3j-mr7p
reference_id GHSA-rmqv-7v3j-mr7p
reference_type
scores
url https://github.com/advisories/GHSA-rmqv-7v3j-mr7p
fixed_packages
0
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases CVE-2024-3572, GHSA-rmqv-7v3j-mr7p
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rbs9-h2ay-qybj
4
url VCID-spj3-t26x-aba3
vulnerability_id VCID-spj3-t26x-aba3
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://github.com/scrapy/scrapy
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy
1
reference_url https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75
2
reference_url https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-3574
reference_id CVE-2024-3574
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-3574
4
reference_url https://github.com/advisories/GHSA-4q82-j5c2-g2c5
reference_id GHSA-4q82-j5c2-g2c5
reference_type
scores
url https://github.com/advisories/GHSA-4q82-j5c2-g2c5
5
reference_url https://github.com/advisories/GHSA-cw9j-q3vf-hrrv
reference_id GHSA-cw9j-q3vf-hrrv
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-cw9j-q3vf-hrrv
fixed_packages
0
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases CVE-2024-3574, GHSA-4q82-j5c2-g2c5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-spj3-t26x-aba3
5
url VCID-yxsd-514m-mqeu
vulnerability_id VCID-yxsd-514m-mqeu
summary 
Duplicate Advisory: ReDos vulnerability of XMLFeedSpider
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references.

## Original Description
Parts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.
references
0
reference_url https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
1
reference_url https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-1892
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-1892
fixed_packages
0
url pkg:pypi/scrapy@1.8.4
purl pkg:pypi/scrapy@1.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-atnw-pnvj-zkhp
1
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.4
1
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n6z2-awrh-7kbg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases GHSA-7c9g-vj9m-8pm6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yxsd-514m-mqeu
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1