4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
72.6%
The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2950 advisory.
Scrapy is a high-level web crawling and scraping framework for Python. If you use HttpAuthMiddleware
(i.e. the http_user
and http_pass
spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as robots.txt
requests sent by Scrapy when the ROBOTSTXT_OBEY
setting is set to True
, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new http_auth_domain
spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the w3lib.http.basic_auth_header
function to convert your credentials into a value that you can assign to the Authorization
header of your request, instead of defining your credentials globally using HttpAuthMiddleware
. (CVE-2021-41125)
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. (CVE-2022-0577)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-2950. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(158996);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/06");
script_cve_id("CVE-2021-41125", "CVE-2022-0577");
script_name(english:"Debian DLA-2950-1 : python-scrapy - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-2950 advisory.
- Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware`
(i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose
your credentials to the request target. This includes requests generated by Scrapy components, such as
`robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests
reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to
control which domains are allowed to receive the configured HTTP authentication credentials. If you are
using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to
Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request
basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a
value that you can assign to the `Authorization` header of your request, instead of defining your
credentials globally using `HttpAuthMiddleware`. (CVE-2021-41125)
- Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to
2.6.1. (CVE-2022-0577)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://security-tracker.debian.org/tracker/source-package/python-scrapy
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef161ca1");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2022/dla-2950");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-41125");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-0577");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/stretch/python-scrapy");
script_set_attribute(attribute:"solution", value:
"Upgrade the python-scrapy packages.
For Debian 9 stretch, these problems have been fixed in version 1.0.3-2+deb9u1.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-0577");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/10/06");
script_set_attribute(attribute:"patch_publication_date", value:"2022/03/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/03/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-scrapy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-scrapy-doc");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('audit.inc');
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var release = get_kb_item('Host/Debian/release');
if ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');
var release = chomp(release);
if (! preg(pattern:"^(9)\.[0-9]+", string:release)) audit(AUDIT_OS_NOT, 'Debian 9.0', 'Debian ' + release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '9.0', 'prefix': 'python-scrapy', 'reference': '1.0.3-2+deb9u1'},
{'release': '9.0', 'prefix': 'python-scrapy-doc', 'reference': '1.0.3-2+deb9u1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (release && prefix && reference) {
if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python-scrapy / python-scrapy-doc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | python-scrapy | p-cpe:/a:debian:debian_linux:python-scrapy |
debian | debian_linux | python-scrapy-doc | p-cpe:/a:debian:debian_linux:python-scrapy-doc |
debian | debian_linux | 9.0 | cpe:/o:debian:debian_linux:9.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41125
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0577
www.nessus.org/u?ef161ca1
packages.debian.org/source/stretch/python-scrapy
security-tracker.debian.org/tracker/CVE-2021-41125
security-tracker.debian.org/tracker/CVE-2022-0577
www.debian.org/lts/security/2022/dla-2950
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
72.6%