CVE-2024-1968
Last modified
CVE-2024-1968 is a vulnerability of currently unknown severity. In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. EPSS estimates a 0.68% chance of exploitation in the next 30 days.
Description
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Scrapy | Scrapy | <= 1.8.4 |
| Scrapy | Scrapy | >= 2.0.0, < 2.11.2 |
References
- https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1aExploit, Third Party Advisory
- https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1aExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-1968?
How severe is CVE-2024-1968?
How do I fix CVE-2024-1968?
Are you affected by CVE-2024-1968?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST