CVE-2021-41125

HTTP authentication credential leak to target websites in scrapy

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.

Scrapy es un marco de trabajo de alto nivel para el rastreo de la web y el scraping para Python. Si usa "HttpAuthMiddleware" (es decir, los atributos de araña "http_user" y "http_pass") para la autenticación HTTP, todas las peticiones expondrán sus credenciales al objetivo de la petición. Esto incluye las peticiones generadas por los componentes de Scrapy, como las peticiones "robots.txt" enviadas por Scrapy cuando la configuración "ROBOTSTXT_OBEY" se establece en "True", o como las peticiones alcanzadas a través de redirecciones. Actualice a Scrapy 2.5.1 y use el nuevo atributo de araña "http_auth_domain" para controlar qué dominios pueden recibir las credenciales de autenticación HTTP configuradas. Si está usando Scrapy versión 1.8 o una versión inferior, y la actualización a Scrapy versión 2.5.1 no es una opción, puede actualizar a Scrapy versión 1.8.1 en su lugar. Si no puede actualizar, establezca sus credenciales de autenticación HTTP por petición, usando por ejemplo la función "w3lib.http.basic_auth_header" para convertir sus credenciales en un valor que pueda asignar al encabezado "Authorization" de su petición, en lugar de definir sus credenciales globalmente usando "HttpAuthMiddleware"

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-15 CVE Reserved
2021-10-06 CVE Published
2024-08-04 CVE Updated
2024-10-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-522: Insufficiently Protected Credentials

CAPEC

References (5)

URL	Tag	Source
https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html	Mailing List
https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6	2022-04-22

URL	Date	SRC
http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth	2022-04-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Scrapy Search vendor "Scrapy"		Scrapy Search vendor "Scrapy" for product "Scrapy"				< 1.8.1 Search vendor "Scrapy" for product "Scrapy" and version " < 1.8.1"		-		Affected
Scrapy Search vendor "Scrapy"		Scrapy Search vendor "Scrapy" for product "Scrapy"				>= 2.0.0 < 2.5.1 Search vendor "Scrapy" for product "Scrapy" and version " >= 2.0.0 < 2.5.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected