Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1ybXF2LTd2M2otbXI3cM4AA7CD

Duplicate Advisory: Scrapy decompression bomb vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-7j7m-v7m3-jqm7. This link is maintained to preserve external references.

Original Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Permalink: https://github.com/advisories/GHSA-rmqv-7v3j-mr7p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ybXF2LTd2M2otbXI3cM4AA7CD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago

Widthdrawn: 3 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-rmqv-7v3j-mr7p
References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-3572
• https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
• https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb
• https://github.com/advisories/GHSA-rmqv-7v3j-mr7p

Repository: https://github.com/scrapy/scrapy
Blast Radius: 25.8

Affected Packages