Authentication flaw

🗓️ 06 Oct 2021 18:15:00Reported by PRIOn knowledge baseType

Authentication flaw in Scrapy Python web scraping framework exposes HTTP credentials to request targets. Upgrade to Scrapy 2.5.1 for new http_auth_domain attribute control or use Scrapy 1.8.1. If unable to upgrade, set HTTP authentication credentials per request using w3lib.http.basic_auth_header function

Reporter	Title	Published	Views	Family All 34
CNNVD	Scrapy 信息泄露漏洞	6 Oct 202100:00	–	cnnvd
CVE	CVE-2021-41125	6 Oct 202117:15	–	cve
Cvelist	CVE-2021-41125 HTTP authentication credential leak to target websites in scrapy	6 Oct 202117:15	–	cvelist
Debian	[SECURITY] [DLA 2950-1] python-scrapy security update	16 Mar 202211:57	–	debian
Debian CVE	CVE-2021-41125	6 Oct 202117:15	–	debiancve
Tenable Nessus	Debian DLA-2950-1 : python-scrapy - LTS security update	16 Mar 202200:00	–	nessus
Tenable Nessus	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Scrapy vulnerabilities (USN-7476-1)	5 May 202500:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2021-41125	18 Aug 202500:00	–	nessus
EUVD	EUVD-2021-0239	7 Oct 202500:30	–	euvd
Github Security Blog	Scrapy HTTP authentication credentials potentially leaked to target websites	6 Oct 202117:46	–	github

Source	Link
github	www.github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6
w3lib	www.w3lib.readthedocs.io/en/latest/w3lib.html
github	www.github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498
doc	www.doc.scrapy.org/en/latest/topics/downloader-middleware.html
lists	www.lists.debian.org/debian-lts-announce/2022/03/msg00021.html

22 Apr 2022 16:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.00251