Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jdzlqLXEzdmYtaHJyds4AA5Ui
Scrapy authorization header leakage on cross-domain redirect
Impact
When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.
The right behavior would be to drop the Authorization header instead, in this scenario.
Patches
Upgrade to Scrapy 2.11.1.
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.
Workarounds
If you cannot upgrade, make sure that you are not using the Authentication header, either directly or through some third-party plugin.
If you need to use that header in some requests, add "dont_redirect": True to the request.meta dictionary of those requests to disable following redirects for them.
If you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.
Acknowledgements
This security issue was reported by @ranjit-git through huntr.com.
Permalink: https://github.com/advisories/GHSA-cw9j-q3vf-hrrvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jdzlqLXEzdmYtaHJyds4AA5Ui
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-cw9j-q3vf-hrrv, CVE-2024-3574
References:
- https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv
- https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae
- https://nvd.nist.gov/vuln/detail/CVE-2024-3574
- https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
- https://github.com/advisories/GHSA-cw9j-q3vf-hrrv
Blast Radius: 25.8
Affected Packages
pypi:scrapy
Dependent packages: 136Dependent repositories: 2,753
Downloads: 1,377,165 last month
Affected Version Ranges: < 1.8.4, >= 2, < 2.11.1
Fixed in: 1.8.4, 2.11.1
All affected versions: 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.20.0, 0.20.1, 0.20.2, 0.22.0, 0.22.1, 0.22.2, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0
All unaffected versions: 1.8.4, 2.11.1, 2.11.2, 2.12.0