vulnerability

FreeBSD: VID-2AD25820-C71A-4E6C-BB99-770C66FE496D: py-Scrapy -- credentials leak vulnerability

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Jul 29, 2022
Added
Sep 1, 2023
Modified
Feb 19, 2025

Description




When the built-in HTTP proxy downloader middleware processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.


There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.


Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.


These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.


If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below.


If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough;


patching that downloader middlware may be necessary as well.




Solution(s)

freebsd-upgrade-package-py310-scrapyfreebsd-upgrade-package-py311-scrapyfreebsd-upgrade-package-py37-scrapyfreebsd-upgrade-package-py38-scrapyfreebsd-upgrade-package-py39-scrapy

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.