Duplicate Advisory: Scrapy authorization header leakage on cross-domain redirect

GHSA-4q82-j5c2-g2c5

Published Apr 16, 2024 · Modified Nov 28, 2024

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cw9j-q3vf-hrrv. This link is maintained to preserve external references.

Original Description

In scrapy versions before 2.11.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-3574
WEB https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75
ADVISORY https://github.com/advisories/GHSA-cw9j-q3vf-hrrv
PACKAGE https://github.com/scrapy/scrapy
WEB https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes