CVE-2024-1892

2024-02-2800:15:53

Debian Security Bug Tracker

security-tracker.debian.org

cve-2024-1892

regular expression denial of service

xmlfeedspider

scrapy

parsing

xml content

inefficient regular expression

denial-of-service

dos

system hang

resource consumption

unresponsive services

unix

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-scrapy<= 2.8.0-2python-scrapy_2.8.0-2_all.deb
Debian11allpython-scrapy<= 2.4.1-2+deb11u1python-scrapy_2.4.1-2+deb11u1_all.deb
Debian10allpython-scrapy<= 1.5.1-1+deb10u1python-scrapy_1.5.1-1+deb10u1_all.deb
Debian999allpython-scrapy< 2.11.1-1python-scrapy_2.11.1-1_all.deb
Debian13allpython-scrapy< 2.11.1-1python-scrapy_2.11.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-scrapy	<= 2.8.0-2	python-scrapy_2.8.0-2_all.deb
Debian	11	all	python-scrapy	<= 2.4.1-2+deb11u1	python-scrapy_2.4.1-2+deb11u1_all.deb
Debian	10	all	python-scrapy	<= 1.5.1-1+deb10u1	python-scrapy_1.5.1-1+deb10u1_all.deb
Debian	999	all	python-scrapy	< 2.11.1-1	python-scrapy_2.11.1-1_all.deb
Debian	13	all	python-scrapy	< 2.11.1-1	python-scrapy_2.11.1-1_all.deb