High

scrapy

Authorization Header Leakage on Cross-Origin Redirects

A vulnerability in Scrapy versions >= 2, <= 2.11.1 and <= 1.8.4 allowed the leakage of Authorization headers during same-domain but cross-origin redirects. This issue, patched in version 2.11.2, contravened the Fetch standard by not removing Authorization headers in cross-domain requests, potentially exposing sensitive information.

Available publicly on May 20 2024

7.5

CVE:

CVE-2024-1968

CWE:

200:Exposure of Sensitive Information to an Unauthorized Actor

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

szarny
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update Scrapy to version 2.11.2 or later.
  • Review and adjust the handling of redirects in your application to ensure compliance with the Fetch standard, particularly regarding the stripping of sensitive headers in cross-origin scenarios.
  • Consider implementing additional security measures to detect and prevent downgrade attacks, such as HSTS (HTTP Strict Transport Security).
Patch Details
  • Fixed Version: 2.11.2
  • Patch Commit: https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.