Incorrect Authorization and Exposure of Sensitive Information to an Unauthorized Actor in scrapy

Description

Impact

If you manually define cookies on a Request object, and that Request object gets a redirect response, the new Request object scheduled to follow the redirect keeps those user-defined cookies, regardless of the target domain.

Patches

Upgrade to Scrapy 2.6.0, which resets cookies when creating Request objects to follow redirects¹, and drops the Cookie header if manually-defined if the redirect target URL domain name does not match the source URL domain name².

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead.

¹ At that point the original, user-set cookies have been processed by the cookie middleware into the global or request-specific cookiejar, with their domain restricted to the domain of the original URL, so when the cookie middleware processes the new (redirect) request it will incorporate those cookies into the new request as long as the domain of the new request matches the domain of the original request.

² This prevents cookie leaks to unintended domains even if the cookies middleware is not used.

Workarounds

If you cannot upgrade, set your cookies using a list of dictionaries instead of a single dictionary, as described in the Request documentation, and set the right domain for each cookie.

Alternatively, you can disable cookies altogether, or limit target domains to domains that you trust with all your user-set cookies.

References

For more information

If you have any questions or comments about this advisory:
* Open an issue
* Email us

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2022-03-01 22:12:47 UTC
Updated
2024-10-22 16:37:19 UTC
GitHub reviewed
2022-03-01 22:12:47 UTC

EPSS Score

Score Percentile
0.21% 43.23%

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-863 Incorrect Authorization

Credits

  • ranjit-git (analyst)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip scrapy < 1.8.2 1.8.2
pip scrapy >= 2.0.0, < 2.6.0 2.6.1

References

cvelogic Threat Intelligence