7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
scrapy is vulnerable to XML External Entity (XXE). The vulnerability is due to the lxml.etree.fromstring
function which lacks input validation, enabling attackers to execute denial of service attacks, access local files, create network connections, or bypass firewalls through specially crafted XML data.
docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
github.com/advisories/GHSA-7j7m-v7m3-jqm7
github.com/scrapy/scrapy/commit/71b8741e3607cfda2833c7624d4ada87071aa8e5
github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%