Main Vulnerability Database SB2021100637

SB2021100637 - Improper access control in scrapy

Published: October 6, 2021 Updated: April 23, 2026

Security Bulletin ID SB2021100637

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2021-41125)

The vulnerability allows a remote attacker to disclose HTTP authentication credentials.

The vulnerability exists due to improper access control in HttpAuthMiddleware when handling requests to target websites. A remote attacker can trigger requests, redirects, or auxiliary requests to receive the configured HTTP authentication credentials and disclose HTTP authentication credentials.

This includes requests generated by Scrapy components such as robots.txt requests when ROBOTSTXT_OBEY is enabled, as well as requests reached through redirects.

Remediation

Install update from vendor's website.

SB2021100637 - Improper access control in scrapy

Breakdown by Severity

Description

Remediation

References

Please verify you're human