CVE-2024-3574

CVSS V2 None CVSS V3 None

Description

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.

Overview

CVE ID
CVE-2024-3574

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-16T00:00:15.109Z

Last Modified Date
2024-04-16T11:10:56.646Z

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3574
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3574

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:08:55				Added to TrackCVE