CVE-2024-3572
Last modified
CVE-2024-3572 is a vulnerability of currently unknown severity. The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data. EPSS estimates a 0.81% chance of exploitation in the next 30 days.
Description
The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Scrapy | Scrapy | < 2.11.1 |
References
- https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabbExploit, Issue Tracking, Third Party Advisory
- https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabbExploit, Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-3572?
How severe is CVE-2024-3572?
How do I fix CVE-2024-3572?
Are you affected by CVE-2024-3572?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST