Origin Validation Error Affecting scrapy package, versions [,1.8.4)[2.0.0,2.11.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-SCRAPY-6249482
  • published16 Feb 2024
  • disclosed15 Feb 2024
  • creditranjit-git

Introduced: 15 Feb 2024

CVE NOT AVAILABLE CWE-346  (opens in a new tab)

How to fix?

Upgrade Scrapy to version 1.8.4, 2.11.1 or higher.

Overview

Scrapy is a high-level web crawling and web scraping framework, used to crawl websites and extract structured data from their pages.

Affected versions of this package are vulnerable to Origin Validation Error due to the improper handling of the Authorization header during cross-domain redirects. An attacker can leak sensitive information by inducing the server to redirect a request with the Authorization header to a different domain.

Workarounds

1)Make sure that the Authentication header, either directly or through some third-party plugin is not used.

2)If that header is needed in some requests, add dont_redirect: True to the request.meta dictionary of those requests to disable following redirects for them.

3)If same domain redirect support is needed on those requests, make sure you trust the target website not to redirect your requests to a different domain.

CVSS Scores

version 3.1