SB2022030140 - Multiple vulnerabilities in scrapy
Published: March 1, 2022 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Origin validation error (CVE-ID: N/A)
CWE-ID: CWE-346 - Origin Validation Error
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject cookies into requests sent to other domains sharing the same public suffix.
The vulnerability exists due to improper cookie domain validation in the cookie handling logic when processing responses from domain names whose public suffix contains one or more periods. A remote attacker can send a response that sets a crafted cookie domain to inject cookies into requests sent to other domains sharing the same public suffix.
This affects public domain suffixes that contain one or more periods, such as co.uk.
2) Information disclosure (CVE-ID: CVE-2022-0577)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper cookie handling in redirect request handling when following redirects after processing a request with manually defined cookies. A remote attacker can trigger a cross-domain redirect to disclose sensitive information.
This issue affects requests where cookies are manually defined on the Request object.
Remediation
Install update from vendor's website.