7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
9.0%
In scrapy version 2.10.1, an issue was identified where the Authorization
header, containing credentials for server authentication, is leaked to a
third-party site during a cross-domain redirect. This vulnerability arises
from the failure to remove the Authorization header when redirecting across
domains. The exposure of the Authorization header to unauthorized actors
could potentially allow for account hijacking.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 23.10 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python-scrapy | < any | UNKNOWN |
github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75
github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75 (2.11.1)
github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv
huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
launchpad.net/bugs/cve/CVE-2024-3574
nvd.nist.gov/vuln/detail/CVE-2024-3574
security-tracker.debian.org/tracker/CVE-2024-3574
www.cve.org/CVERecord?id=CVE-2024-3574