Lucene search

Veracode Vulnerability DatabaseVERACODE:46484

HistoryApr 17, 2024 - 10:06 a.m.

Information Leakage

2024-04-1710:06:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

scrapy

information leakage

authorization

credentials

account hijacking

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

scrapy is vulnerable to Information Leakage. The vulnerability is due to the failure to remove the Authorization header when redirecting across domains, resulting in the exposure of sensitive credentials to unauthorized actors which could potentially lead to account hijacking.

CPENameOperatorVersion
scrapyle1.8.3
scrapyle2.11.0
scrapyle1.8.3
scrapyle2.11.0

Name	Operator	Version
scrapy	le	1.8.3
scrapy	le	2.11.0
scrapy	le	1.8.3
scrapy	le	2.11.0

References

github.com/advisories/GHSA-cw9j-q3vf-hrrv

github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75

github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae

huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VERACODE:46484