7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.1 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%
When you send a request with the Authorization
header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original Authorization
header, leaking its content to that second domain.
The right behavior would be to drop the Authorization
header instead, in this scenario.
Upgrade to Scrapy 2.11.1.
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.
If you cannot upgrade, make sure that you are not using the Authentication
header, either directly or through some third-party plugin.
If you need to use that header in some requests, add "dont_redirect": True
to the request.meta
dictionary of those requests to disable following redirects for them.
If you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.
This security issue was reported by @ranjit-git through huntr.com.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.1 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%