CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-0577 – Exposure of Sensitive Information to an Unauthorized Actor in scrapy/scrapy
https://notcve.org/view.php?id=CVE-2022-0577
02 Mar 2022 — Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. Una Exposición de Información Confidencial a un Actor no Autorizado en el repositorio de GitHub scrapy/scrapy versiones anteriores a 2.6.1 It was discovered that Scrapy improperly exposed HTTP authentication credentials to request targets, including during redirects. An attacker could use this issue to gain unauthorized access to user accounts. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20... • https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41125 – HTTP authentication credential leak to target websites in scrapy
https://notcve.org/view.php?id=CVE-2021-41125
06 Oct 2021 — Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider at... • http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-14158
https://notcve.org/view.php?id=CVE-2017-14158
05 Sep 2017 — Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore. Scrapy 1.4 permite que atacantes remotos provoquen una denegación de servicio (consumo de memoria) utilizando archivos de gr... • http://blog.csdn.net/wangtua/article/details/75228728 • CWE-400: Uncontrolled Resource Consumption •