cvelistv5 - cve-2022-0577

CVE-2022-0577 (GCVE-0-2022-0577)

Vulnerability from cvelistv5

Published

2022-03-02 04:05

Modified

2024-08-02 23:32

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.

References

URL

	Vendor	Product	Version
	scrapy	scrapy/scrapy	Version: unspecified < 2.6.1

ghsa-cjvr-mfj7-j4j8

Vulnerability from github

Published

2022-03-01 22:12

Modified

2024-10-22 16:37

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Incorrect Authorization and Exposure of Sensitive Information to an Unauthorized Actor in scrapy

Details

Impact

If you manually define cookies on a Request object, and that Request object gets a redirect response, the new Request object scheduled to follow the redirect keeps those user-defined cookies, regardless of the target domain.

Patches

Upgrade to Scrapy 2.6.0, which resets cookies when creating Request objects to follow redirects¹, and drops the Cookie header if manually-defined if the redirect target URL domain name does not match the source URL domain name².

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead.

¹ At that point the original, user-set cookies have been processed by the cookie middleware into the global or request-specific cookiejar, with their domain restricted to the domain of the original URL, so when the cookie middleware processes the new (redirect) request it will incorporate those cookies into the new request as long as the domain of the new request matches the domain of the original request.

² This prevents cookie leaks to unintended domains even if the cookies middleware is not used.

Workarounds

If you cannot upgrade, set your cookies using a list of dictionaries instead of a single dictionary, as described in the Request documentation, and set the right domain for each cookie.

Alternatively, you can disable cookies altogether, or limit target domains to domains that you trust with all your user-set cookies.

References

Originally reported at huntr.dev

For more information

If you have any questions or comments about this advisory: * Open an issue * Email us

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.6.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-01T22:12:47Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIf you manually define cookies on a [`Request`](https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request) object, and that `Request` object gets a redirect response, the new `Request` object scheduled to follow the redirect keeps those user-defined cookies, regardless of the target domain.\n\n### Patches\n\nUpgrade to Scrapy 2.6.0, which resets cookies when creating `Request` objects to follow redirects\u00b9, and drops the ``Cookie`` header if manually-defined if the redirect target URL domain name does not match the source URL domain name\u00b2.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead.\n\n\u00b9 At that point the original, user-set cookies have been processed by the cookie middleware into the global or request-specific cookiejar, with their domain restricted to the domain of the original URL, so when the cookie middleware processes the new (redirect) request it will incorporate those cookies into the new request as long as the domain of the new request matches the domain of the original request.\n\n\u00b2 This prevents cookie leaks to unintended domains even if the cookies middleware is not used.\n\n### Workarounds\n\nIf you cannot upgrade, set your cookies using a list of dictionaries instead of a single dictionary, as described in the [`Request` documentation](https://docs.scrapy.org/en/latest/topics/request-response.html#scrapy.http.Request), and set the right domain for each cookie.\n\nAlternatively, you can [disable cookies altogether](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#std-setting-COOKIES_ENABLED), or [limit target domains](https://docs.scrapy.org/en/latest/topics/spiders.html#scrapy.spiders.Spider.allowed_domains) to domains that you trust with all your user-set cookies.\n\n### References\n* Originally reported at [huntr.dev](https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585/)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/scrapy/scrapy/issues)\n* [Email us](mailto:opensource@zyte.com)",
  "id": "GHSA-cjvr-mfj7-j4j8",
  "modified": "2024-10-22T16:37:18Z",
  "published": "2022-03-01T22:12:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2022-159.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scrapy/scrapy"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization and Exposure of Sensitive Information to an Unauthorized Actor in scrapy"
}

pysec-2022-159

Vulnerability from pysec

Published

2022-03-02 04:15

Modified

2022-03-09 19:24

Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.

Impacted products

Name	purl
scrapy	pkg:pypi/scrapy

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy",
        "purl": "pkg:pypi/scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8ce01b3b76d4634f55067d6cfdf632ec70ba304a"
            }
          ],
          "repo": "https://github.com/scrapy/scrapy",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.4.2364",
        "0.12.0.2550",
        "0.14.1",
        "0.14.2",
        "0.14.3",
        "0.14.4",
        "0.16.0",
        "0.16.1",
        "0.16.2",
        "0.16.3",
        "0.16.4",
        "0.16.5",
        "0.18.0",
        "0.18.1",
        "0.18.2",
        "0.18.3",
        "0.18.4",
        "0.20.0",
        "0.20.1",
        "0.20.2",
        "0.22.0",
        "0.22.1",
        "0.22.2",
        "0.24.0",
        "0.24.1",
        "0.24.2",
        "0.24.3",
        "0.24.4",
        "0.24.5",
        "0.24.6",
        "0.7",
        "0.8",
        "0.9",
        "1.0.0",
        "1.0.0rc1",
        "1.0.0rc2",
        "1.0.0rc3",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.1.0",
        "1.1.0rc1",
        "1.1.0rc2",
        "1.1.0rc3",
        "1.1.0rc4",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.4.0",
        "1.5.0",
        "1.5.1",
        "1.5.2",
        "1.6.0",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.8.0",
        "1.8.1",
        "1.8.2",
        "2.0.0",
        "2.0.1",
        "2.1.0",
        "2.2.0",
        "2.2.1",
        "2.3.0",
        "2.4.0",
        "2.4.1",
        "2.5.0",
        "2.5.1",
        "2.6.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0577",
    "GHSA-cjvr-mfj7-j4j8"
  ],
  "details": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.",
  "id": "PYSEC-2022-159",
  "modified": "2022-03-09T19:24:19.981012Z",
  "published": "2022-03-02T04:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-cjvr-mfj7-j4j8"
    }
  ]
}

opensuse-su-2024:11889-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

python-Scrapy-doc-2.6.1-1.1 on GA media

Notes

Title of the patch

python-Scrapy-doc-2.6.1-1.1 on GA media

Description of the patch

These are all security issues fixed in the python-Scrapy-doc-2.6.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11889

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python-Scrapy-doc-2.6.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python-Scrapy-doc-2.6.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11889",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11889-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-0577 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-0577/"
      }
    ],
    "title": "python-Scrapy-doc-2.6.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11889-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-Scrapy-doc-2.6.1-1.1.aarch64",
                "product": {
                  "name": "python-Scrapy-doc-2.6.1-1.1.aarch64",
                  "product_id": "python-Scrapy-doc-2.6.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python310-Scrapy-2.6.1-1.1.aarch64",
                "product": {
                  "name": "python310-Scrapy-2.6.1-1.1.aarch64",
                  "product_id": "python310-Scrapy-2.6.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python38-Scrapy-2.6.1-1.1.aarch64",
                "product": {
                  "name": "python38-Scrapy-2.6.1-1.1.aarch64",
                  "product_id": "python38-Scrapy-2.6.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-Scrapy-2.6.1-1.1.aarch64",
                "product": {
                  "name": "python39-Scrapy-2.6.1-1.1.aarch64",
                  "product_id": "python39-Scrapy-2.6.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-Scrapy-doc-2.6.1-1.1.ppc64le",
                "product": {
                  "name": "python-Scrapy-doc-2.6.1-1.1.ppc64le",
                  "product_id": "python-Scrapy-doc-2.6.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python310-Scrapy-2.6.1-1.1.ppc64le",
                "product": {
                  "name": "python310-Scrapy-2.6.1-1.1.ppc64le",
                  "product_id": "python310-Scrapy-2.6.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python38-Scrapy-2.6.1-1.1.ppc64le",
                "product": {
                  "name": "python38-Scrapy-2.6.1-1.1.ppc64le",
                  "product_id": "python38-Scrapy-2.6.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python39-Scrapy-2.6.1-1.1.ppc64le",
                "product": {
                  "name": "python39-Scrapy-2.6.1-1.1.ppc64le",
                  "product_id": "python39-Scrapy-2.6.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-Scrapy-doc-2.6.1-1.1.s390x",
                "product": {
                  "name": "python-Scrapy-doc-2.6.1-1.1.s390x",
                  "product_id": "python-Scrapy-doc-2.6.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python310-Scrapy-2.6.1-1.1.s390x",
                "product": {
                  "name": "python310-Scrapy-2.6.1-1.1.s390x",
                  "product_id": "python310-Scrapy-2.6.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python38-Scrapy-2.6.1-1.1.s390x",
                "product": {
                  "name": "python38-Scrapy-2.6.1-1.1.s390x",
                  "product_id": "python38-Scrapy-2.6.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python39-Scrapy-2.6.1-1.1.s390x",
                "product": {
                  "name": "python39-Scrapy-2.6.1-1.1.s390x",
                  "product_id": "python39-Scrapy-2.6.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-Scrapy-doc-2.6.1-1.1.x86_64",
                "product": {
                  "name": "python-Scrapy-doc-2.6.1-1.1.x86_64",
                  "product_id": "python-Scrapy-doc-2.6.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python310-Scrapy-2.6.1-1.1.x86_64",
                "product": {
                  "name": "python310-Scrapy-2.6.1-1.1.x86_64",
                  "product_id": "python310-Scrapy-2.6.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python38-Scrapy-2.6.1-1.1.x86_64",
                "product": {
                  "name": "python38-Scrapy-2.6.1-1.1.x86_64",
                  "product_id": "python38-Scrapy-2.6.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-Scrapy-2.6.1-1.1.x86_64",
                "product": {
                  "name": "python39-Scrapy-2.6.1-1.1.x86_64",
                  "product_id": "python39-Scrapy-2.6.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-Scrapy-doc-2.6.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.aarch64"
        },
        "product_reference": "python-Scrapy-doc-2.6.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-Scrapy-doc-2.6.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.ppc64le"
        },
        "product_reference": "python-Scrapy-doc-2.6.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-Scrapy-doc-2.6.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.s390x"
        },
        "product_reference": "python-Scrapy-doc-2.6.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-Scrapy-doc-2.6.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.x86_64"
        },
        "product_reference": "python-Scrapy-doc-2.6.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-Scrapy-2.6.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.aarch64"
        },
        "product_reference": "python310-Scrapy-2.6.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-Scrapy-2.6.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.ppc64le"
        },
        "product_reference": "python310-Scrapy-2.6.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-Scrapy-2.6.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.s390x"
        },
        "product_reference": "python310-Scrapy-2.6.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-Scrapy-2.6.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.x86_64"
        },
        "product_reference": "python310-Scrapy-2.6.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-Scrapy-2.6.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.aarch64"
        },
        "product_reference": "python38-Scrapy-2.6.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-Scrapy-2.6.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.ppc64le"
        },
        "product_reference": "python38-Scrapy-2.6.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-Scrapy-2.6.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.s390x"
        },
        "product_reference": "python38-Scrapy-2.6.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-Scrapy-2.6.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.x86_64"
        },
        "product_reference": "python38-Scrapy-2.6.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-Scrapy-2.6.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.aarch64"
        },
        "product_reference": "python39-Scrapy-2.6.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-Scrapy-2.6.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.ppc64le"
        },
        "product_reference": "python39-Scrapy-2.6.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-Scrapy-2.6.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.s390x"
        },
        "product_reference": "python39-Scrapy-2.6.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-Scrapy-2.6.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.x86_64"
        },
        "product_reference": "python39-Scrapy-2.6.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-0577",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-0577"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.aarch64",
          "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.s390x",
          "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.x86_64",
          "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.aarch64",
          "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.s390x",
          "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.x86_64",
          "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.aarch64",
          "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.s390x",
          "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.x86_64",
          "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.aarch64",
          "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.s390x",
          "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-0577",
          "url": "https://www.suse.com/security/cve/CVE-2022-0577"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196638 for CVE-2022-0577",
          "url": "https://bugzilla.suse.com/1196638"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.aarch64",
            "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.s390x",
            "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.x86_64",
            "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.aarch64",
            "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.s390x",
            "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.x86_64",
            "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.aarch64",
            "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.s390x",
            "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.x86_64",
            "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.aarch64",
            "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.s390x",
            "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.aarch64",
            "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.s390x",
            "openSUSE Tumbleweed:python-Scrapy-doc-2.6.1-1.1.x86_64",
            "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.aarch64",
            "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.s390x",
            "openSUSE Tumbleweed:python310-Scrapy-2.6.1-1.1.x86_64",
            "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.aarch64",
            "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.s390x",
            "openSUSE Tumbleweed:python38-Scrapy-2.6.1-1.1.x86_64",
            "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.aarch64",
            "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.s390x",
            "openSUSE Tumbleweed:python39-Scrapy-2.6.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-0577"
    }
  ]
}

gsd-2022-0577

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.

Aliases

CVE-2022-0577

Aliases

CVE-2022-0577

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-0577",
    "description": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.",
    "id": "GSD-2022-0577",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-0577.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-0577"
      ],
      "details": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.",
      "id": "GSD-2022-0577",
      "modified": "2023-12-13T01:19:11.331253Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.dev",
        "ID": "CVE-2022-0577",
        "STATE": "PUBLIC",
        "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in scrapy/scrapy"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "scrapy/scrapy",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.6.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "scrapy"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585",
            "refsource": "CONFIRM",
            "url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585"
          },
          {
            "name": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a",
            "refsource": "MISC",
            "url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a"
          },
          {
            "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
          }
        ]
      },
      "source": {
        "advisory": "3da527b1-2348-4f69-9e88-2e11a96ac585",
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.6.1",
          "affected_versions": "All versions before 2.6.1",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-863",
            "CWE-937"
          ],
          "date": "2022-03-24",
          "description": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.",
          "fixed_versions": [
            "2.6.1"
          ],
          "identifier": "CVE-2022-0577",
          "identifiers": [
            "CVE-2022-0577",
            "GHSA-cjvr-mfj7-j4j8"
          ],
          "not_impacted": "All versions starting from 2.6.1",
          "package_slug": "pypi/scrapy",
          "pubdate": "2022-03-02",
          "solution": "Upgrade to version 2.6.1 or above.",
          "title": "User-set cookies are kept on redirect requests regardless of the target domain",
          "urls": [
            "https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8",
            "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-0577",
            "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585",
            "https://github.com/advisories/GHSA-cjvr-mfj7-j4j8"
          ],
          "uuid": "ced4efc1-e1a2-4701-ba61-46031b64b145"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.6.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0577"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-863"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a"
            },
            {
              "name": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585"
            },
            {
              "name": "[debian-lts-announce] 20220316 [SECURITY] [DLA 2950-1] python-scrapy security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-03-24T15:32Z",
      "publishedDate": "2022-03-02T04:15Z"
    }
  }
}

cnvd-2022-17012

Vulnerability from cnvd

Title

Scrapy信息泄露漏洞（CNVD-2022-17012）

Description

Scrapy是一个用Python编写的自由且开源的网络爬虫框架。 Scrapy 2.6.1之前版本中存在信息泄露漏洞，该漏洞源于产品未对敏感信息进行有效保护。攻击者可利用该漏洞获得敏感信息。

Severity

高

Patch Name

Scrapy信息泄露漏洞（CNVD-2022-17012）的补丁

Patch Description

Scrapy是一个用Python编写的自由且开源的网络爬虫框架。 Scrapy 2.6.1之前版本中存在信息泄露漏洞，该漏洞源于产品未对敏感信息进行有效保护。攻击者可利用该漏洞获得敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/scrapy/scrapy

Reference

https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a

Impacted products

Name
Scrapy Scrapy <2.6.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-0577",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-0577"
    }
  },
  "description": "Scrapy\u662f\u4e00\u4e2a\u7528Python\u7f16\u5199\u7684\u81ea\u7531\u4e14\u5f00\u6e90\u7684\u7f51\u7edc\u722c\u866b\u6846\u67b6\u3002\n\nScrapy  2.6.1\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u672a\u5bf9\u654f\u611f\u4fe1\u606f\u8fdb\u884c\u6709\u6548\u4fdd\u62a4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u5f97\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/scrapy/scrapy",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-17012",
  "openTime": "2022-03-06",
  "patchDescription": "Scrapy\u662f\u4e00\u4e2a\u7528Python\u7f16\u5199\u7684\u81ea\u7531\u4e14\u5f00\u6e90\u7684\u7f51\u7edc\u722c\u866b\u6846\u67b6\u3002\r\n\r\nScrapy  2.6.1\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u672a\u5bf9\u654f\u611f\u4fe1\u606f\u8fdb\u884c\u6709\u6548\u4fdd\u62a4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u5f97\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Scrapy\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2022-17012\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Scrapy Scrapy \u003c2.6.1"
  },
  "referenceLink": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a",
  "serverity": "\u9ad8",
  "submitTime": "2022-03-04",
  "title": "Scrapy\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2022-17012\uff09"
}

fkie_cve-2022-0577

Vulnerability from fkie_nvd

Published

2022-03-02 04:15

Modified

2024-11-21 06:38

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.

References

URL	Tags
security@huntr.dev	https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a	Patch, Third Party Advisory
security@huntr.dev	https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585	Exploit, Issue Tracking, Patch, Third Party Advisory
security@huntr.dev	https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	scrapy	scrapy	*
	debian	debian_linux	9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CDE4A502-62CA-49F4-88B8-521D66EEA30C",
              "versionEndExcluding": "2.6.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1."
    },
    {
      "lang": "es",
      "value": "Una Exposici\u00f3n de Informaci\u00f3n Confidencial a un Actor no Autorizado en el repositorio de GitHub scrapy/scrapy versiones anteriores a 2.6.1"
    }
  ],
  "id": "CVE-2022-0577",
  "lastModified": "2024-11-21T06:38:57.217",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-02T04:15:06.960",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-0577 (GCVE-0-2022-0577)

Vulnerability from cvelistv5

ghsa-cjvr-mfj7-j4j8

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

pysec-2022-159

Vulnerability from pysec

opensuse-su-2024:11889-1

Vulnerability from csaf_opensuse

gsd-2022-0577

Vulnerability from gsd

cnvd-2022-17012

Vulnerability from cnvd

fkie_cve-2022-0577

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature