Splash authentication credentials potentially leaked to target websites in scrapy-splash
Description
Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use `HttpAuthMiddleware` (i.e. the http_user and http_pass spider attributes) for Splash authentication will have any non-Splash request expose your credentials to the request target. This includes robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True. Upgrade to scrapy-splash 0.8.0 and use the new SPLASH_USER and SPLASH_PASS settings instead to set your Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis, using the `splash_headers` request parameter, instead of defining them globally using the `HttpAuthMiddleware`. Alternatively, make sure all your requests go through Splash. That includes disabling the robots.txt middleware.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
scrapy-splashPyPI | < 0.8.0 | 0.8.0 |
Affected products
2- Range: < 0.8.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-823f-cwm9-4g74ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41124ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/scrapy-splash/PYSEC-2021-364.yamlghsaWEB
- github.com/scrapy-plugins/scrapy-splash/commit/2b253e57fe64ec575079c8cdc99fe2013502ea31ghsax_refsource_MISCWEB
- github.com/scrapy-plugins/scrapy-splash/releases/tag/0.8.0ghsaWEB
- github.com/scrapy-plugins/scrapy-splash/security/advisories/GHSA-823f-cwm9-4g74ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.