pysec - pysec-2021-363

PYSEC-2021-363

Vulnerability from pysec - Published: 2021-10-06 18:15 - Updated: 2021-10-11 01:16

Details

Scrapy is a high-level web crawling and scraping framework for Python. If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new http_auth_domain spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the w3lib.http.basic_auth_header function to convert your credentials into a value that you can assign to the Authorization header of your request, instead of defining your credentials globally using HttpAuthMiddleware.

Impacted products

Name	purl
scrapy	pkg:pypi/scrapy

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy",
        "purl": "pkg:pypi/scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "b01d69a1bf48060daec8f751368622352d8b85a6"
            }
          ],
          "repo": "https://github.com/scrapy/scrapy",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            },
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.4.2364",
        "0.12.0.2550",
        "0.14.1",
        "0.14.2",
        "0.14.3",
        "0.14.4",
        "0.16.0",
        "0.16.1",
        "0.16.2",
        "0.16.3",
        "0.16.4",
        "0.16.5",
        "0.18.0",
        "0.18.1",
        "0.18.2",
        "0.18.3",
        "0.18.4",
        "0.20.0",
        "0.20.1",
        "0.20.2",
        "0.22.0",
        "0.22.1",
        "0.22.2",
        "0.24.0",
        "0.24.1",
        "0.24.2",
        "0.24.3",
        "0.24.4",
        "0.24.5",
        "0.24.6",
        "0.7",
        "0.8",
        "0.9",
        "1.0.0",
        "1.0.0rc1",
        "1.0.0rc2",
        "1.0.0rc3",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.1.0",
        "1.1.0rc1",
        "1.1.0rc2",
        "1.1.0rc3",
        "1.1.0rc4",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.4.0",
        "1.5.0",
        "1.5.1",
        "1.5.2",
        "1.6.0",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.8.0",
        "2.0.0",
        "2.0.1",
        "2.1.0",
        "2.2.0",
        "2.2.1",
        "2.3.0",
        "2.4.0",
        "2.4.1",
        "2.5.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41125",
    "GHSA-jwqp-28gf-p498"
  ],
  "details": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.",
  "id": "PYSEC-2021-363",
  "modified": "2021-10-11T01:16:42.905582Z",
  "published": "2021-10-06T18:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
    },
    {
      "type": "WEB",
      "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
    },
    {
      "type": "WEB",
      "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
    }
  ]
}

CVE-2021-41125 (GCVE-0-2021-41125)

Vulnerability from cvelistv5 – Published: 2021-10-06 17:15 – Updated: 2024-08-04 02:59

Summary

Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.

Severity ?

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/scrapy/scrapy/security/advisor…	x_refsource_CONFIRM
	https://github.com/scrapy/scrapy/commit/b01d69a1b…	x_refsource_MISC
	https://w3lib.readthedocs.io/en/latest/w3lib.html…	x_refsource_MISC
	http://doc.scrapy.org/en/latest/topics/downloader…	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	scrapy	scrapy	Affected: < 1.8.1 Affected: >= 2.0.0, < 2.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.432Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
          },
          {
            "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "scrapy",
          "vendor": "scrapy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-16T13:06:09",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
        },
        {
          "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
        }
      ],
      "source": {
        "advisory": "GHSA-jwqp-28gf-p498",
        "discovery": "UNKNOWN"
      },
      "title": "HTTP authentication credential leak to target websites in scrapy",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41125",
          "STATE": "PUBLIC",
          "TITLE": "HTTP authentication credential leak to target websites in scrapy"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "scrapy",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.8.1"
                          },
                          {
                            "version_value": "\u003e= 2.0.0, \u003c 2.5.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "scrapy"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498",
              "refsource": "CONFIRM",
              "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
            },
            {
              "name": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6",
              "refsource": "MISC",
              "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
            },
            {
              "name": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header",
              "refsource": "MISC",
              "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
            },
            {
              "name": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth",
              "refsource": "MISC",
              "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
            },
            {
              "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-jwqp-28gf-p498",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41125",
    "datePublished": "2021-10-06T17:15:13",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T02:59:31.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-JWQP-28GF-P498

Vulnerability from github – Published: 2021-10-06 17:46 – Updated: 2024-10-26 22:53

Summary

Scrapy HTTP authentication credentials potentially leaked to target websites

Details

Impact

If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, all requests will expose your credentials to the request target.

This includes requests generated by Scrapy components, such as robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True, or as requests reached through redirects.

Patches

Upgrade to Scrapy 2.5.1 and use the new http_auth_domain spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead.

Workarounds

If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the w3lib.http.basic_auth_header function to convert your credentials into a value that you can assign to the Authorization header of your request, instead of defining your credentials globally using HttpAuthMiddleware.

For more information

If you have any questions or comments about this advisory: * Open an issue * Email us

Severity ?

5.7 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-06T17:32:00Z",
    "nvd_published_at": "2021-10-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIf you use [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth) (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target.\n\nThis includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects.\n\n### Patches\n\nUpgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead.\n\n### Workarounds\n\nIf you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the [`w3lib.http.basic_auth_header`](https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header) function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth).\n\n### For more information\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/scrapy/scrapy/issues)\n* [Email us](mailto:opensource@zyte.com)\n",
  "id": "GHSA-jwqp-28gf-p498",
  "modified": "2024-10-26T22:53:21Z",
  "published": "2021-10-06T17:46:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41125"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2021-363.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scrapy/scrapy"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"
    },
    {
      "type": "WEB",
      "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Scrapy HTTP authentication credentials potentially leaked to target websites "
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2021-363

CVE-2021-41125 (GCVE-0-2021-41125)

GHSA-JWQP-28GF-P498

Impact

Patches

Workarounds

For more information

Tags

Sightings

Nomenclature