7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%
In scrapy/scrapy, an issue was identified where the Authorization header is
not removed during redirects that only change the scheme (e.g., HTTPS to
HTTP) but remain within the same domain. This behavior contravenes the
Fetch standard, which mandates the removal of Authorization headers in
cross-origin requests when the scheme, host, or port changes. Consequently,
when a redirect downgrades from HTTPS to HTTP, the Authorization header may
be inadvertently exposed in plaintext, leading to potential sensitive
information disclosure to unauthorized actors. The flaw is located in the
_build_redirect_request function of the redirect middleware.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 23.10 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 24.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python-scrapy | < any | UNKNOWN |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%