[GHSA-h7wm-ph43-c39p] Scrapy denial of service vulnerability

[G-Rath]

Updates

• Affected products

Comments
scrapy/scrapy#482 is still open and there's no evidence its getting worked on or has been resolved, so this should be an open-ended advisory.

[shelbyc]

Hi @G-Rath , thank you for your community contribution. The standard practice of the GitHub Advisory Database is to avoid advisories with only lower bounds for the vulnerable version ranges with limited exceptions, namely malware advisories in which all versions of a package are malicious. For typical advisories, we leave open the possibility that a fixed version could exist someday. We wouldn't change this without the maintainers saying that this package is out of support or that this issue will never be addressed.

I did see that version 2.6.2 was released without a fix for CVE-2017-14158 and can change the VVR to account for 2.6.2 also being vulnerable. You will still receive community contribution credit for bringing the new vulnerable version to our attention.

[advisory-database]

Hi @G-Rath! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[danielfree]

hi, this will cause almost all python projects (which will be huge in numbers) using scrapy (even with latest version) to have a new security alert but no solutions offered.

[G-Rath]

@danielfree that's a problem to take up with Scrapy as the information reflected in this advisory is correct, regardless of the number of projects impacted or the availability of a fix. I would love to have a solution to this as well because I'm impacted, but I don't work with Python enough to be able to contribute a code fix in a timely matter (I'm happy to help with coordinating and reviewing though cause that I should be able to do).

If you're keen to help, lets chat further over on scrapy/scrapy#482.

[G-Rath]

@shelbyc so a couple of new versions of scrapy have been released since I did this PR, yet the advisory has not been updated to reflect that they're impacted. I understand some of your reasoning, but this vulnerability has existed since 2013 and the advisory since 2017 yet there has been no work whatsoever towards resolving it so I'd really recommend removing the upper bounds here.

Because this advisory is flagged on our end, I am keeping an eye on it in the hopes that it gets patched, and since this is the primary database for our auditing tool (osv-detector) I'm pretty invested in making sure this advisory stays up to date.