SB2024021456 - Multiple vulnerabilities in scrapy

Description

This security bulletin contains information about 4 vulnerabilities.

1) Inefficient regular expression complexity (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient regular expression complexity in XMLFeedSpider default node iterator and scrapy.utils.iterators.xmliter when parsing malicious response content. A remote attacker can send a specially crafted response to cause a denial of service.

The issue can lead to extreme CPU and memory usage during content parsing.

2) Inefficient regular expression complexity (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient regular expression complexity in open_in_browser when processing a response without a base tag. A remote attacker can provide a specially crafted response to cause a denial of service.

This issue affects Scrapy 2.6.0 through 2.11.0.

3) Improper handling of highly compressed data (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in HTTP response decompression when processing compressed response bodies from scraped websites. A remote attacker can send a specially crafted compressed response to cause a denial of service.

Memory exhaustion may affect other processes sharing the same memory, and disk usage may also be affected when uncompressed response caching is enabled.

4) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the built-in redirect middleware when following a cross-domain redirect after sending a request with an Authorization header. A remote attacker can trigger a redirect to a different domain to disclose sensitive information.

The issue occurs because the follow-up redirect request keeps the original Authorization header instead of dropping it.

Remediation

Install update from vendor's website.

References

• https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9
• https://github.com/advisories/GHSA-cc65-xxvf-f7r9
• https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7
• https://github.com/advisories/GHSA-7j7m-v7m3-jqm7
• https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv
• https://github.com/advisories/GHSA-cw9j-q3vf-hrrv