Vulnerability-Lookup

CVE-2024-3574 (GCVE-0-2024-3574)

Vulnerability from cvelistv5 – Published: 2024-04-16 00:00 – Updated: 2024-08-01 20:12

Title

Authorization Header Leak During Cross-Domain Redirect in scrapy/scrapy

Summary

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.

Severity ?

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

@huntr_ai

References

URL

Tags

	https://huntr.com/bounties/49974321-2718-43e3-a15…
	https://github.com/scrapy/scrapy/commit/5bcb8fd50…

Impacted products

	Vendor	Product	Version
	scrapy	scrapy/scrapy	Affected: unspecified , < 2.11.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "scrapy",
            "vendor": "scrapy",
            "versions": [
              {
                "lessThan": "2.11.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3574",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-18T15:23:27.914402Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-03T15:46:57.275Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:12:08.239Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "scrapy/scrapy",
          "vendor": "scrapy",
          "versions": [
            {
              "lessThan": "2.11.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-16T11:10:56.646Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9"
        },
        {
          "url": "https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75"
        }
      ],
      "source": {
        "advisory": "49974321-2718-43e3-a152-62b16eed72a9",
        "discovery": "EXTERNAL"
      },
      "title": "Authorization Header Leak During Cross-Domain Redirect in scrapy/scrapy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-3574",
    "datePublished": "2024-04-16T00:00:15.109Z",
    "dateReserved": "2024-04-10T09:54:50.274Z",
    "dateUpdated": "2024-08-01T20:12:08.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:12:08.239Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-3574\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-18T15:23:27.914402Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*\"], \"vendor\": \"scrapy\", \"product\": \"scrapy\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.11.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-03T15:46:52.234Z\"}}], \"cna\": {\"title\": \"Authorization Header Leak During Cross-Domain Redirect in scrapy/scrapy\", \"source\": {\"advisory\": \"49974321-2718-43e3-a152-62b16eed72a9\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"scrapy\", \"product\": \"scrapy/scrapy\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"2.11.1\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9\"}, {\"url\": \"https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2024-04-16T11:10:56.646Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-3574\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T20:12:08.239Z\", \"dateReserved\": \"2024-04-10T09:54:50.274Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2024-04-16T00:00:15.109Z\", \"assignerShortName\": \"@huntr_ai\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2024-3574

Vulnerability from gsd - Updated: 2024-04-11 05:03

Details

Aliases

CVE-2024-3574

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-3574"
      ],
      "details": "In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.",
      "id": "GSD-2024-3574",
      "modified": "2024-04-11T05:03:27.341458Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.com",
        "ID": "CVE-2024-3574",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "scrapy/scrapy",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "unspecified",
                          "version_value": "2.11.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "scrapy"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-200",
                "lang": "eng",
                "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9",
            "refsource": "MISC",
            "url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9"
          },
          {
            "name": "https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75",
            "refsource": "MISC",
            "url": "https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75"
          }
        ]
      },
      "source": {
        "advisory": "49974321-2718-43e3-a152-62b16eed72a9",
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking."
          },
          {
            "lang": "es",
            "value": "En la versi\u00f3n 2.10.1 de scrapy, se identific\u00f3 un problema por el cual el encabezado de Autorizaci\u00f3n, que contiene las credenciales para la autenticaci\u00f3n del servidor, se filtra a un sitio de terceros durante una redirecci\u00f3n entre dominios. Esta vulnerabilidad surge de no eliminar el encabezado de Autorizaci\u00f3n al redireccionar entre dominios. La exposici\u00f3n del encabezado de Autorizaci\u00f3n a actores no autorizados podr\u00eda permitir el secuestro de cuentas."
          }
        ],
        "id": "CVE-2024-3574",
        "lastModified": "2024-04-16T13:24:07.103",
        "metrics": {
          "cvssMetricV30": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "security@huntr.dev",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-16T00:15:12.750",
        "references": [
          {
            "source": "security@huntr.dev",
            "url": "https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75"
          },
          {
            "source": "security@huntr.dev",
            "url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9"
          }
        ],
        "sourceIdentifier": "security@huntr.dev",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-200"
              }
            ],
            "source": "security@huntr.dev",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

GHSA-CW9J-Q3VF-HRRV

Vulnerability from github – Published: 2024-02-15 15:32 – Updated: 2024-04-16 14:05

Summary

Scrapy authorization header leakage on cross-domain redirect

Details

Impact

When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.

The right behavior would be to drop the Authorization header instead, in this scenario.

Patches

Upgrade to Scrapy 2.11.1.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.

Workarounds

If you cannot upgrade, make sure that you are not using the Authentication header, either directly or through some third-party plugin.

If you need to use that header in some requests, add "dont_redirect": True to the request.meta dictionary of those requests to disable following redirects for them.

If you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.

Acknowledgements

This security issue was reported by @ranjit-git through huntr.com.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-3574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-15T15:32:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWhen you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy\u2019s built-in redirect middleware creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain.\n\nThe [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario.\n\n### Patches\n\nUpgrade to Scrapy 2.11.1.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.\n\n### Workarounds\n\nIf you cannot upgrade, make sure that you are not using the `Authentication` header, either directly or through some third-party plugin.\n\nIf you need to use that header in some requests, add `\"dont_redirect\": True` to the `request.meta` dictionary of those requests to disable following redirects for them.\n\nIf you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.\n\n### Acknowledgements\n\nThis security issue was reported by @ranjit-git  [through huntr.com](https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9/).",
  "id": "GHSA-cw9j-q3vf-hrrv",
  "modified": "2024-04-16T14:05:51Z",
  "published": "2024-02-15T15:32:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scrapy/scrapy"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scrapy authorization header leakage on cross-domain redirect"
}

FKIE_CVE-2024-3574

Vulnerability from fkie_nvd - Published: 2024-04-16 00:15 - Updated: 2025-07-28 14:51

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@huntr.dev	https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75	Patch
security@huntr.dev	https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75	Patch
af854a3a-2127-422b-91ae-364da2661108	https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9	Exploit, Issue Tracking, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	scrapy	scrapy	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "99249052-7A1E-4B27-9201-E420B8FB7782",
              "versionEndExcluding": "2.11.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking."
    },
    {
      "lang": "es",
      "value": "En la versi\u00f3n 2.10.1 de scrapy, se identific\u00f3 un problema por el cual el encabezado de Autorizaci\u00f3n, que contiene las credenciales para la autenticaci\u00f3n del servidor, se filtra a un sitio de terceros durante una redirecci\u00f3n entre dominios. Esta vulnerabilidad surge de no eliminar el encabezado de Autorizaci\u00f3n al redireccionar entre dominios. La exposici\u00f3n del encabezado de Autorizaci\u00f3n a actores no autorizados podr\u00eda permitir el secuestro de cuentas."
    }
  ],
  "id": "CVE-2024-3574",
  "lastModified": "2025-07-28T14:51:40.343",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-04-16T00:15:12.750",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-3574 (GCVE-0-2024-3574)

GSD-2024-3574

GHSA-CW9J-Q3VF-HRRV

Impact

Patches

Workarounds

Acknowledgements

FKIE_CVE-2024-3574

Tags

Sightings

Nomenclature