-
Notifications
You must be signed in to change notification settings - Fork 289
/
GHSA-9x8m-2xpf-crp3.json
77 lines (74 loc) · 3.53 KB
/
GHSA-9x8m-2xpf-crp3.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
{
"schema_version": "1.4.0",
"id": "GHSA-9x8m-2xpf-crp3",
"modified": "2023-11-15T18:31:22Z",
"published": "2022-07-29T22:26:57Z",
"aliases": [
],
"summary": "Scrapy before 2.6.2 and 1.8.3 vulnerable to one proxy sending credentials to another",
"details": "### Impact\n\nWhen the [built-in HTTP proxy downloader middleware](https://docs.scrapy.org/en/2.6/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpproxy) processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.\n\nThere are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.\n\nBecause of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.\n\nThese third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.\n\nIf you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below. If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough; patching that downloader middlware may be necessary as well.\n\n### Patches\n\nUpgrade to Scrapy 2.6.2.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.2 is not an option, you may upgrade to Scrapy 1.8.3 instead.\n\n### Workarounds\n\nIf you cannot upgrade, make sure that any code that changes the value of the `proxy` request meta also removes the `Proxy-Authorization` header from the request if present.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/scrapy/scrapy/issues)\n* [Email us](mailto:opensource@zyte.com)\n",
"severity": [
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "scrapy"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.3"
}
]
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "scrapy"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.6.2"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-9x8m-2xpf-crp3"
},
{
"type": "WEB",
"url": "https://github.com/scrapy/scrapy/commit/af7dd16d8ded3e6cb2946603688f4f4a5212e80f"
},
{
"type": "PACKAGE",
"url": "https://github.com/scrapy/scrapy"
}
],
"database_specific": {
"cwe_ids": [
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2022-07-29T22:26:57Z",
"nvd_published_at": null
}
}