Search for vulnerabilities
| Vulnerability ID | VCID-auya-u2uf-27gn |
| Aliases |
GHSA-rmqv-7v3j-mr7p
|
| Summary | Duplicate Advisory: Scrapy decompression bomb vulnerability ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7j7m-v7m3-jqm7. This link is maintained to preserve external references. ## Original Description The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | HIGH | https://github.com/advisories/GHSA-rmqv-7v3j-mr7p |
| cvssv3.1 | 7.5 | https://github.com/scrapy/scrapy |
| generic_textual | HIGH | https://github.com/scrapy/scrapy |
| cvssv3.1 | 7.5 | https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f |
| generic_textual | HIGH | https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f |
| cvssv3.1 | 7.5 | https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb |
| generic_textual | HIGH | https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb |
| cvssv3.1 | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-3572 |
| generic_textual | HIGH | https://nvd.nist.gov/vuln/detail/CVE-2024-3572 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-01T12:49:35.119466+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-rmqv-7v3j-mr7p/GHSA-rmqv-7v3j-mr7p.json | 38.0.0 |