VDB
CVE-2024-3574
CVE-2024-3574
PUBLISHED
CVSS 7.5 HIGH
In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.
EPSS 0.12% · 30.8th percentile
Risk Scores
CVSS 3.0
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.12%
30.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| scrapy | scrapy | 0 |
| scrapy | scrapy/scrapy | * |
| PyPI | scrapy | 2, 0 |
| scrapy | scrapy | 0 |
Exploit Intelligence
Timeline
- Feb 15, 2024 CVE Published
- Apr 16, 2024 EPSS Score
- Apr 16, 2024 CVE Updated
- May 11, 2024 EPSS Score
- Jun 5, 2024 EPSS Score
- Jun 30, 2024 EPSS Score
- Jul 25, 2024 EPSS Score
- Aug 19, 2024 EPSS Score
- Sep 13, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 8, 2024 EPSS Score
- Nov 1, 2024 EPSS Score
References
- https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9 url
- https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75 url
- https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv url
- https://nvd.nist.gov/vuln/detail/CVE-2024-3574 advisory
- https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae url
- https://github.com/scrapy/scrapy package