Credential Exposure Affecting scrapy package, versions [,1.8.3) [2.0.0,2.6.2)


0.0
medium

Snyk CVSS

    Attack Complexity Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-SCRAPY-2964185
  • published 31 Jul 2022
  • disclosed 29 Jul 2022
  • credit Unknown

Introduced: 29 Jul 2022

CVE NOT AVAILABLE CWE-256 Open this link in a new tab

How to fix?

Upgrade Scrapy to version 1.8.3, 2.6.2 or higher.

Overview

Scrapy is a high-level web crawling and web scraping framework, used to crawl websites and extract structured data from their pages.

Affected versions of this package are vulnerable to Credential Exposure via the process_request() function in downloadermiddlewares/httpproxy.py. A proxy can leak credentials to another proxy if third-party downloader middlewares leave Proxy-Authentication headers unchanged when updating proxy metadata for a new request.

NOTE: To fully mitigate the effects of vulnerability, replacing or upgrading the third-party downloader middleware might be necessary after upgrading.

References