CVE-2024-3572

Published: Apr 16, 2024

Modified: Aug 1, 2024

PUBLISHED

CVSS v3.0

7.5

HIGH

Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Vendor	Product	Versions
scrapy	scrapy/scrapy	affected `unspecified - < 2.11.1`

Weaknesses (CWE)

CWE-409

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb

https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-3572

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References