{"id":"USN-7476-1","summary":"python-scrapy vulnerabilities","details":"It was discovered that Scrapy improperly exposed HTTP authentication \ncredentials to request targets, including during redirects. An attacker \ncould use this issue to gain unauthorized access to user accounts. This\nissue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-41125)\n\nIt was discovered that Scrapy did not remove the cookie header during\ncross-domain redirects. An attacker could possibly use this issue to gain\nunauthorized access to user accounts. This issue only affected Ubuntu 18.04\nLTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-0577)\n\nIt was discovered that Scrapy inefficiently parsed XML content. An\nattacker could use this issue to cause a denial of service by sending a\ncrafted XML response. This issue only affected Ubuntu 18.04 LTS,\nUbuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-1892)\n\nIt was discovered that Scrapy did not properly check response size during\ndecompression. An attacker could send a crafted response that would\nexhaust memory and cause a denial of service. This issue only affected\nUbuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-3572)\n\nIt was discovered that Scrapy did not remove the authorization header\nduring cross-domain redirects. An attacker could possibly use this issue\nto gain unauthorized access to user accounts. This issue only affected \nUbuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-3574)\n\nIt was discovered that Scrapy did not remove the authorization header\nduring redirects that change scheme but remain in the same domain. This\nissue could possibly be used by an attacker to expose sensitive \ninformation or to gain unauthorized access to user accounts.\n(CVE-2024-1968)\n\n","modified":"2026-04-27T17:32:33.062438620Z","published":"2025-05-05T16:31:52Z","related":["UBUNTU-CVE-2021-41125","UBUNTU-CVE-2022-0577","UBUNTU-CVE-2024-1892","UBUNTU-CVE-2024-1968","UBUNTU-CVE-2024-3572","UBUNTU-CVE-2024-3574"],"upstream":["CVE-2021-41125","CVE-2022-0577","CVE-2024-1892","CVE-2024-1968","CVE-2024-3572","CVE-2024-3574","UBUNTU-CVE-2021-41125","UBUNTU-CVE-2022-0577","UBUNTU-CVE-2024-1892","UBUNTU-CVE-2024-1968","UBUNTU-CVE-2024-3572","UBUNTU-CVE-2024-3574"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7476-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-41125"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-0577"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-1892"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-1968"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-3572"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-3574"}],"affected":[{"package":{"name":"python-scrapy","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python-scrapy@1.5.0-1ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.0-1ubuntu0.1~esm1"}]}],"versions":["1.3.0-1~exp2","1.4.0-1","1.5.0-1"],"ecosystem_specific":{"binaries":[{"binary_name":"python-scrapy","binary_version":"1.5.0-1ubuntu0.1~esm1"},{"binary_name":"python3-scrapy","binary_version":"1.5.0-1ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7476-1.json","cves_map":{"cves":[{"id":"CVE-2021-41125","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-0577","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2024-1892","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-1968","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-3572","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-3574","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"python-scrapy","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python-scrapy@1.7.3-1ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.3-1ubuntu0.1~esm1"}]}],"versions":["1.7.3-1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-scrapy","binary_version":"1.7.3-1ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7476-1.json","cves_map":{"cves":[{"id":"CVE-2021-41125","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-0577","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2024-1892","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-1968","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-3572","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-3574","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}},{"package":{"name":"python-scrapy","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/python-scrapy@2.5.1-2ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.5.1-2ubuntu0.1~esm1"}]}],"versions":["2.4.1-2","2.5.1-2"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-scrapy","binary_version":"2.5.1-2ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7476-1.json","cves_map":{"cves":[{"id":"CVE-2022-0577","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2024-1892","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-1968","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-3572","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-3574","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:22.04:LTS"}}},{"package":{"name":"python-scrapy","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/python-scrapy@2.11.1-1ubuntu0.1~esm2?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.11.1-1ubuntu0.1~esm2"}]}],"versions":["2.10.0-1","2.11.0-1","2.11.0-2","2.11.1-1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-scrapy","binary_version":"2.11.1-1ubuntu0.1~esm2"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7476-1.json","cves_map":{"cves":[{"id":"CVE-2024-1968","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:24.04:LTS"}}}],"schema_version":"1.7.5"}