Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qd3FwLTI4Z2YtcDQ5OM0WOQ
Scrapy HTTP authentication credentials potentially leaked to target websites
Impact
If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, all requests will expose your credentials to the request target.
This includes requests generated by Scrapy components, such as robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True, or as requests reached through redirects.
Patches
Upgrade to Scrapy 2.5.1 and use the new http_auth_domain spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials.
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead.
Workarounds
If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the w3lib.http.basic_auth_header function to convert your credentials into a value that you can assign to the Authorization header of your request, instead of defining your credentials globally using HttpAuthMiddleware.
For more information
If you have any questions or comments about this advisory:
Permalink: https://github.com/advisories/GHSA-jwqp-28gf-p498JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qd3FwLTI4Z2YtcDQ5OM0WOQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 2 months ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00246
EPSS Percentile: 0.63781
Identifiers: GHSA-jwqp-28gf-p498, CVE-2021-41125
References:
- https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498
- https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6
- https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header
- http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth
- https://nvd.nist.gov/vuln/detail/CVE-2021-41125
- https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html
- https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2021-363.yaml
- https://github.com/advisories/GHSA-jwqp-28gf-p498
Blast Radius: 19.6
Affected Packages
pypi:Scrapy
Dependent packages: 136Dependent repositories: 2,753
Downloads: 1,377,165 last month
Affected Version Ranges: >= 2.0.0, < 2.5.1, < 1.8.1
Fixed in: 2.5.1, 1.8.1
All affected versions: 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.20.0, 0.20.1, 0.20.2, 0.22.0, 0.22.1, 0.22.2, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0
All unaffected versions: 1.8.1, 1.8.2, 1.8.3, 1.8.4, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.12.0