CVE-2024-3574
Last modified
CVE-2024-3574 is a vulnerability of currently unknown severity. In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. EPSS estimates a 0.64% chance of exploitation in the next 30 days.
Description
In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Scrapy | Scrapy | < 2.11.1 |
References
- https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9Exploit, Issue Tracking, Patch, Third Party Advisory
- https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9Exploit, Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-3574?
How severe is CVE-2024-3574?
How do I fix CVE-2024-3574?
Are you affected by CVE-2024-3574?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST