Credential Exposure Affecting scrapy package, versions [,1.8.3) [2.0.0,2.6.2)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SCRAPY-2964185
- published 31 Jul 2022
- disclosed 29 Jul 2022
- credit Unknown
How to fix?
Upgrade Scrapy to version 1.8.3, 2.6.2 or higher.
Overview
Scrapy is a high-level web crawling and web scraping framework, used to crawl websites and extract structured data from their pages.
Affected versions of this package are vulnerable to Credential Exposure via the process_request() function in downloadermiddlewares/httpproxy.py. A proxy can leak credentials to another proxy if third-party downloader middlewares leave Proxy-Authentication headers unchanged when updating proxy metadata for a new request.
NOTE: To fully mitigate the effects of vulnerability, replacing or upgrading the third-party downloader middleware might be necessary after upgrading.