Lucene search

Veracode Vulnerability DatabaseVERACODE:45661

HistoryFeb 28, 2024 - 5:44 a.m.

ReDoS (Regular Expression Denial Of Service)

2024-02-2805:44:22

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

scrapy

vulnerability

regular expression denial of service

xmlfeedspider

xml

denial-of-service

resource consumption

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

scrapy is vulnerable to ReDoS (Regular Expression Denial Of Service). The vulnerability is due to a Regular Expression with inefficient complexity which is used to parse XML content when utilizing the XMLFeedSpider class when scraping XML. If the class is utilized to scrape an attacker-controlled web page, a denial-of-service situation can occur, resulting in the system hanging with significant resource consumption.

CPENameOperatorVersion
scrapyle2.11.0
scrapyle2.11.0

CPE	Name	Operator	Version
	scrapy	le	2.11.0
	scrapy	le	2.11.0

References

github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5

huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:45661