Vulnerable Library - Scrapy-2.7.1-py2.py3-none-any.whl
A high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/00/34/9598461dfc319a2cda4c7eb8322f7f5c88979e9fc2a29385cec677b93af1/Scrapy-2.7.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 300cd60a8d64abc0cd67bf827a5010971b28f220
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (Scrapy version) |
Remediation Possible** |
| CVE-2024-3572 |
 High |
7.5 |
Scrapy-2.7.1-py2.py3-none-any.whl |
Direct |
scrapy - 2.11.1 |
❌ |
| CVE-2024-1892 |
High |
7.5 |
Scrapy-2.7.1-py2.py3-none-any.whl |
Direct |
scrapy - 2.11.1 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-3572
Vulnerable Library - Scrapy-2.7.1-py2.py3-none-any.whl
A high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/00/34/9598461dfc319a2cda4c7eb8322f7f5c88979e9fc2a29385cec677b93af1/Scrapy-2.7.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ Scrapy-2.7.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 300cd60a8d64abc0cd67bf827a5010971b28f220
Found in base branch: master
Vulnerability Details
The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.
Publish Date: 2024-04-16
URL: CVE-2024-3572
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-3572
Release Date: 2024-04-16
Fix Resolution: scrapy - 2.11.1
Step up your Open Source Security Game with Mend here
CVE-2024-1892
Vulnerable Library - Scrapy-2.7.1-py2.py3-none-any.whl
A high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/00/34/9598461dfc319a2cda4c7eb8322f7f5c88979e9fc2a29385cec677b93af1/Scrapy-2.7.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ Scrapy-2.7.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 300cd60a8d64abc0cd67bf827a5010971b28f220
Found in base branch: master
Vulnerability Details
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
Publish Date: 2024-02-28
URL: CVE-2024-1892
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-1892
Release Date: 2024-02-28
Fix Resolution: scrapy - 2.11.1
Step up your Open Source Security Game with Mend here
A high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/00/34/9598461dfc319a2cda4c7eb8322f7f5c88979e9fc2a29385cec677b93af1/Scrapy-2.7.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 300cd60a8d64abc0cd67bf827a5010971b28f220
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - Scrapy-2.7.1-py2.py3-none-any.whl
A high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/00/34/9598461dfc319a2cda4c7eb8322f7f5c88979e9fc2a29385cec677b93af1/Scrapy-2.7.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 300cd60a8d64abc0cd67bf827a5010971b28f220
Found in base branch: master
Vulnerability Details
The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.
Publish Date: 2024-04-16
URL: CVE-2024-3572
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-3572
Release Date: 2024-04-16
Fix Resolution: scrapy - 2.11.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - Scrapy-2.7.1-py2.py3-none-any.whl
A high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/00/34/9598461dfc319a2cda4c7eb8322f7f5c88979e9fc2a29385cec677b93af1/Scrapy-2.7.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 300cd60a8d64abc0cd67bf827a5010971b28f220
Found in base branch: master
Vulnerability Details
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
Publish Date: 2024-02-28
URL: CVE-2024-1892
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-1892
Release Date: 2024-02-28
Fix Resolution: scrapy - 2.11.1
Step up your Open Source Security Game with Mend here