Vulnerability-Lookup

CVE-2021-41125 (GCVE-0-2021-41125)

Vulnerability from cvelistv5 – Published: 2021-10-06 17:15 – Updated: 2024-08-04 02:59

Title

HTTP authentication credential leak to target websites in scrapy

Summary

Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.

Severity ?

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/scrapy/scrapy/security/advisor…	x_refsource_CONFIRM
	https://github.com/scrapy/scrapy/commit/b01d69a1b…	x_refsource_MISC
	https://w3lib.readthedocs.io/en/latest/w3lib.html…	x_refsource_MISC
	http://doc.scrapy.org/en/latest/topics/downloader…	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	scrapy	scrapy	Affected: < 1.8.1 Affected: >= 2.0.0, < 2.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.432Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
          },
          {
            "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "scrapy",
          "vendor": "scrapy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-16T13:06:09.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
        },
        {
          "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
        }
      ],
      "source": {
        "advisory": "GHSA-jwqp-28gf-p498",
        "discovery": "UNKNOWN"
      },
      "title": "HTTP authentication credential leak to target websites in scrapy",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41125",
          "STATE": "PUBLIC",
          "TITLE": "HTTP authentication credential leak to target websites in scrapy"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "scrapy",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.8.1"
                          },
                          {
                            "version_value": "\u003e= 2.0.0, \u003c 2.5.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "scrapy"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498",
              "refsource": "CONFIRM",
              "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
            },
            {
              "name": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6",
              "refsource": "MISC",
              "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
            },
            {
              "name": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header",
              "refsource": "MISC",
              "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
            },
            {
              "name": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth",
              "refsource": "MISC",
              "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
            },
            {
              "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-jwqp-28gf-p498",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41125",
    "datePublished": "2021-10-06T17:15:13.000Z",
    "dateReserved": "2021-09-15T00:00:00.000Z",
    "dateUpdated": "2024-08-04T02:59:31.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

PYSEC-2021-363

Vulnerability from pysec - Published: 2021-10-06 18:15 - Updated: 2021-10-11 01:16

Details

Scrapy is a high-level web crawling and scraping framework for Python. If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new http_auth_domain spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the w3lib.http.basic_auth_header function to convert your credentials into a value that you can assign to the Authorization header of your request, instead of defining your credentials globally using HttpAuthMiddleware.

Impacted products

Name	purl
scrapy	pkg:pypi/scrapy

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy",
        "purl": "pkg:pypi/scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "b01d69a1bf48060daec8f751368622352d8b85a6"
            }
          ],
          "repo": "https://github.com/scrapy/scrapy",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            },
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.4.2364",
        "0.12.0.2550",
        "0.14.1",
        "0.14.2",
        "0.14.3",
        "0.14.4",
        "0.16.0",
        "0.16.1",
        "0.16.2",
        "0.16.3",
        "0.16.4",
        "0.16.5",
        "0.18.0",
        "0.18.1",
        "0.18.2",
        "0.18.3",
        "0.18.4",
        "0.20.0",
        "0.20.1",
        "0.20.2",
        "0.22.0",
        "0.22.1",
        "0.22.2",
        "0.24.0",
        "0.24.1",
        "0.24.2",
        "0.24.3",
        "0.24.4",
        "0.24.5",
        "0.24.6",
        "0.7",
        "0.8",
        "0.9",
        "1.0.0",
        "1.0.0rc1",
        "1.0.0rc2",
        "1.0.0rc3",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.1.0",
        "1.1.0rc1",
        "1.1.0rc2",
        "1.1.0rc3",
        "1.1.0rc4",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.4.0",
        "1.5.0",
        "1.5.1",
        "1.5.2",
        "1.6.0",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.8.0",
        "2.0.0",
        "2.0.1",
        "2.1.0",
        "2.2.0",
        "2.2.1",
        "2.3.0",
        "2.4.0",
        "2.4.1",
        "2.5.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41125",
    "GHSA-jwqp-28gf-p498"
  ],
  "details": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.",
  "id": "PYSEC-2021-363",
  "modified": "2021-10-11T01:16:42.905582Z",
  "published": "2021-10-06T18:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
    },
    {
      "type": "WEB",
      "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
    },
    {
      "type": "WEB",
      "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
    }
  ]
}

FKIE_CVE-2021-41125

Vulnerability from fkie_nvd - Published: 2021-10-06 18:15 - Updated: 2024-11-21 06:25

Severity ?

5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth	Vendor Advisory
security-advisories@github.com	https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498	Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html	Mailing List, Third Party Advisory
security-advisories@github.com	https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header	Third Party Advisory

Impacted products

Vendor	Product	Version
scrapy	scrapy	*
scrapy	scrapy	*
debian	debian_linux	9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4055A315-2C5D-4B44-BD9F-89C1AD000837",
              "versionEndExcluding": "1.8.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC1006AF-4F0A-470B-BC01-0F95C9CA0975",
              "versionEndExcluding": "2.5.1",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`."
    },
    {
      "lang": "es",
      "value": "Scrapy es un marco de trabajo de alto nivel para el rastreo de la web y el scraping para Python. Si usa \"HttpAuthMiddleware\" (es decir, los atributos de ara\u00f1a \"http_user\" y \"http_pass\") para la autenticaci\u00f3n HTTP, todas las peticiones expondr\u00e1n sus credenciales al objetivo de la petici\u00f3n. Esto incluye las peticiones generadas por los componentes de Scrapy, como las peticiones \"robots.txt\" enviadas por Scrapy cuando la configuraci\u00f3n \"ROBOTSTXT_OBEY\" se establece en \"True\", o como las peticiones alcanzadas a trav\u00e9s de redirecciones. Actualice a Scrapy 2.5.1 y use el nuevo atributo de ara\u00f1a \"http_auth_domain\" para controlar qu\u00e9 dominios pueden recibir las credenciales de autenticaci\u00f3n HTTP configuradas. Si est\u00e1 usando Scrapy versi\u00f3n 1.8 o una versi\u00f3n inferior, y la actualizaci\u00f3n a Scrapy versi\u00f3n 2.5.1 no es una opci\u00f3n, puede actualizar a Scrapy versi\u00f3n 1.8.1 en su lugar. Si no puede actualizar, establezca sus credenciales de autenticaci\u00f3n HTTP por petici\u00f3n, usando por ejemplo la funci\u00f3n \"w3lib.http.basic_auth_header\" para convertir sus credenciales en un valor que pueda asignar al encabezado \"Authorization\" de su petici\u00f3n, en lugar de definir sus credenciales globalmente usando \"HttpAuthMiddleware\""
    }
  ],
  "id": "CVE-2021-41125",
  "lastModified": "2024-11-21T06:25:31.600",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-10-06T18:15:10.953",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-41125

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-41125

Aliases

CVE-2021-41125

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41125",
    "description": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.",
    "id": "GSD-2021-41125",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-41125.html",
      "https://security.archlinux.org/CVE-2021-41125"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-41125"
      ],
      "details": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.",
      "id": "GSD-2021-41125",
      "modified": "2023-12-13T01:23:26.896470Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-41125",
        "STATE": "PUBLIC",
        "TITLE": "HTTP authentication credential leak to target websites in scrapy"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "scrapy",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.8.1"
                        },
                        {
                          "version_value": "\u003e= 2.0.0, \u003c 2.5.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "scrapy"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498",
            "refsource": "CONFIRM",
            "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
          },
          {
            "name": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6",
            "refsource": "MISC",
            "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
          },
          {
            "name": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header",
            "refsource": "MISC",
            "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
          },
          {
            "name": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth",
            "refsource": "MISC",
            "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
          },
          {
            "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-jwqp-28gf-p498",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.8.1||\u003e=2.0.0,\u003c2.5.1",
          "affected_versions": "All versions before 1.8.1, all versions starting from 2.0.0 before 2.5.1",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-522",
            "CWE-937"
          ],
          "date": "2022-04-22",
          "description": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. If you cannot upgrade to a patched version, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.",
          "fixed_versions": [
            "1.8.1",
            "2.5.1"
          ],
          "identifier": "CVE-2021-41125",
          "identifiers": [
            "CVE-2021-41125",
            "GHSA-jwqp-28gf-p498"
          ],
          "not_impacted": "All versions starting from 1.8.1 before 2.0.0, all versions starting from 2.5.1",
          "package_slug": "pypi/scrapy",
          "pubdate": "2021-10-06",
          "solution": "Upgrade to versions 1.8.1, 2.5.1 or above.",
          "title": "Exposure of Sensitive Information to an Unauthorized Actor",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41125",
            "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
          ],
          "uuid": "01c6abc5-98e7-48a7-b83d-7c31ffeeca56"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.8.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.5.1",
                "versionStartIncluding": "2.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41125"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-522"
                },
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
            },
            {
              "name": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
            },
            {
              "name": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
            },
            {
              "name": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
            },
            {
              "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-04-22T16:00Z",
      "publishedDate": "2021-10-06T18:15Z"
    }
  }
}

GHSA-JWQP-28GF-P498

Vulnerability from github – Published: 2021-10-06 17:46 – Updated: 2024-10-26 22:53

Summary

Scrapy HTTP authentication credentials potentially leaked to target websites

Details

Impact

If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, all requests will expose your credentials to the request target.

This includes requests generated by Scrapy components, such as robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True, or as requests reached through redirects.

Patches

Upgrade to Scrapy 2.5.1 and use the new http_auth_domain spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead.

Workarounds

If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the w3lib.http.basic_auth_header function to convert your credentials into a value that you can assign to the Authorization header of your request, instead of defining your credentials globally using HttpAuthMiddleware.

For more information

If you have any questions or comments about this advisory: * Open an issue * Email us

Severity ?

5.7 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-06T17:32:00Z",
    "nvd_published_at": "2021-10-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIf you use [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth) (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target.\n\nThis includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects.\n\n### Patches\n\nUpgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead.\n\n### Workarounds\n\nIf you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the [`w3lib.http.basic_auth_header`](https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header) function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth).\n\n### For more information\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/scrapy/scrapy/issues)\n* [Email us](mailto:opensource@zyte.com)\n",
  "id": "GHSA-jwqp-28gf-p498",
  "modified": "2024-10-26T22:53:21Z",
  "published": "2021-10-06T17:46:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41125"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2021-363.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scrapy/scrapy"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
    },
    {
      "type": "WEB",
      "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Scrapy HTTP authentication credentials potentially leaked to target websites "
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-41125 (GCVE-0-2021-41125)

PYSEC-2021-363

FKIE_CVE-2021-41125

GSD-2021-41125

GHSA-JWQP-28GF-P498

Impact

Patches

Workarounds

For more information

Tags

Sightings

Nomenclature