High severityNVD Advisory· Published Apr 16, 2024· Updated Aug 1, 2024
Authorization Header Leak During Cross-Domain Redirect in scrapy/scrapy
CVE-2024-3574
Description
In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
scrapyPyPI | >= 2, < 2.11.1 | 2.11.1 |
scrapyPyPI | < 1.8.4 | 1.8.4 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-cw9j-q3vf-hrrvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-3574ghsaADVISORY
- github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faaeghsaWEB
- github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrvghsaWEB
- huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9ghsaWEB
- github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75mitre
News mentions
0No linked articles in our index yet.