Credential Exposure Affecting scrapy package, versions [,1.8.3) [2.0.0,2.6.2)


0.0
medium
  • Attack Complexity

    Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-PYTHON-SCRAPY-2964185

  • published

    31 Jul 2022

  • disclosed

    29 Jul 2022

  • credit

    Unknown

Introduced: 29 Jul 2022

New CWE-256 Open this link in a new tab

How to fix?

Upgrade Scrapy to version 1.8.3, 2.6.2 or higher.

Overview

Scrapy is a high-level web crawling and web scraping framework, used to crawl websites and extract structured data from their pages.

Affected versions of this package are vulnerable to Credential Exposure via the process_request() function in downloadermiddlewares/httpproxy.py. A proxy can leak credentials to another proxy if third-party downloader middlewares leave Proxy-Authentication headers unchanged when updating proxy metadata for a new request.

NOTE: To fully mitigate the effects of vulnerability, replacing or upgrading the third-party downloader middleware might be necessary after upgrading.

References