SB2022030140 - Multiple vulnerabilities in scrapy



SB2022030140 - Multiple vulnerabilities in scrapy

Published: March 1, 2022 Updated: April 23, 2026

Security Bulletin ID SB2022030140
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Origin validation error (CVE-ID: N/A)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject cookies into requests sent to other domains sharing the same public suffix.

The vulnerability exists due to improper cookie domain validation in the cookie handling logic when processing responses from domain names whose public suffix contains one or more periods. A remote attacker can send a response that sets a crafted cookie domain to inject cookies into requests sent to other domains sharing the same public suffix.

This affects public domain suffixes that contain one or more periods, such as co.uk.


2) Information disclosure (CVE-ID: CVE-2022-0577)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper cookie handling in redirect request handling when following redirects after processing a request with manually defined cookies. A remote attacker can trigger a cross-domain redirect to disclose sensitive information.

This issue affects requests where cookies are manually defined on the Request object.


Remediation

Install update from vendor's website.