Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1janZyLW1majctajRqOM0viA
Incorrect Authorization and Exposure of Sensitive Information to an Unauthorized Actor in scrapy
Impact
If you manually define cookies on a Request object, and that Request object gets a redirect response, the new Request object scheduled to follow the redirect keeps those user-defined cookies, regardless of the target domain.
Patches
Upgrade to Scrapy 2.6.0, which resets cookies when creating Request objects to follow redirects¹, and drops the Cookie header if manually-defined if the redirect target URL domain name does not match the source URL domain name².
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead.
¹ At that point the original, user-set cookies have been processed by the cookie middleware into the global or request-specific cookiejar, with their domain restricted to the domain of the original URL, so when the cookie middleware processes the new (redirect) request it will incorporate those cookies into the new request as long as the domain of the new request matches the domain of the original request.
² This prevents cookie leaks to unintended domains even if the cookies middleware is not used.
Workarounds
If you cannot upgrade, set your cookies using a list of dictionaries instead of a single dictionary, as described in the Request documentation, and set the right domain for each cookie.
Alternatively, you can disable cookies altogether, or limit target domains to domains that you trust with all your user-set cookies.
References
- Originally reported at huntr.dev
For more information
If you have any questions or comments about this advisory:
Permalink: https://github.com/advisories/GHSA-cjvr-mfj7-j4j8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1janZyLW1majctajRqOM0viA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 6 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-cjvr-mfj7-j4j8, CVE-2022-0577
References:
- https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8
- https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a
- https://nvd.nist.gov/vuln/detail/CVE-2022-0577
- https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585
- https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html
- https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2022-159.yaml
- https://github.com/advisories/GHSA-cjvr-mfj7-j4j8
Blast Radius: 22.4
Affected Packages
pypi:scrapy
Dependent packages: 111Dependent repositories: 2,753
Downloads: 1,374,241 last month
Affected Version Ranges: >= 2.0.0, < 2.6.0, < 1.8.2
Fixed in: 2.6.0, 1.8.2
All affected versions: 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.20.0, 0.20.1, 0.20.2, 0.22.0, 0.22.1, 0.22.2, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1
All unaffected versions: 1.8.2, 1.8.3, 1.8.4, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.11.1