SB2026070765 - Cleartext transmission of sensitive information in scrapy
Published: July 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cleartext transmission of sensitive information (CVE-ID: N/A)
CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and modify transmitted data.
The vulnerability exists due to cleartext transmission of sensitive information in the S3DownloadHandler when sending signed s3 requests over plaintext http by default. A remote attacker can observe or tamper with network traffic to disclose sensitive information and modify transmitted data.
Only requests made with AWS credentials are affected, and temporary credentials may expose the X-Amz-Security-Token.
Remediation
Install update from vendor's website.