CVE-2024-3572

CVSS V2 None CVSS V3 None

Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Overview

CVE ID
CVE-2024-3572

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-16T00:00:14.499Z

Last Modified Date
2024-04-16T11:10:55.785Z

Weakness Enumerations

CWE	URL
CWE-409	http://cwe.mitre.org/data/definitions/409.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb
https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3572
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3572

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:26:53				Added to TrackCVE