CVE - CVE-2021-41125

CVE-ID
CVE-2021-41125	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498 URL:https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498 MISC:http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth URL:http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth MISC:https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6 URL:https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6 MISC:https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header URL:https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header MLIST:[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update URL:https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20210915	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20210915)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)