SB2024051470 - Multiple vulnerabilities in scrapy
Published: May 14, 2024 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the redirect handling logic when processing same-domain but cross-origin redirects. A remote attacker can perform a man-in-the-middle attack to disclose sensitive information.
The issue affects the Authorization header when the scheme or port changes while the domain remains the same.
2) Unintended Proxy or Intermediary (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper handling of scheme-specific proxy settings in RedirectMiddleware, MetaRefreshMiddleware, and HttpProxyMiddleware when processing redirects that change URL schemes. A remote user can trigger a redirect between http and https URLs to disclose sensitive information.
Only deployments that use different system proxy configurations for HTTP and HTTPS are affected by the security impact.
3) Files or Directories Accessible to External Parties (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper restriction of redirect targets in redirect handling when following redirects to non-http schemes. A remote user can define start requests that trigger redirects to file://, ftp://, or s3:// URLs to disclose sensitive information.
Exploitation requires write access to the spider start requests and read access to the spider output.
Remediation
Install update from vendor's website.
References
- https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f
- https://github.com/advisories/GHSA-4qqq-9vqf-3h3f
- https://github.com/scrapy/scrapy/security/advisories/GHSA-jm3v-qxmh-hxwv
- https://github.com/advisories/GHSA-jm3v-qxmh-hxwv
- https://github.com/scrapy/scrapy/security/advisories/GHSA-23j4-mw76-5v7h
- https://github.com/advisories/GHSA-23j4-mw76-5v7h