VYPR
High severityNVD Advisory· Published Apr 16, 2024· Updated Aug 1, 2024

Authorization Header Leak During Cross-Domain Redirect in scrapy/scrapy

CVE-2024-3574

Description

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
scrapyPyPI
>= 2, < 2.11.12.11.1
scrapyPyPI
< 1.8.41.8.4

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.