CVE-2021-41124

{"id": "CVE-2021-41124", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.8}]}, "published": "2021-10-05T21:15:09.590", "references": [{"url": "https://github.com/scrapy-plugins/scrapy-splash/commit/2b253e57fe64ec575079c8cdc99fe2013502ea31", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/scrapy-plugins/scrapy-splash/security/advisories/GHSA-823f-cwm9-4g74", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth) (i.e. the `http_user` and `http_pass` spider attributes) for Splash authentication will have any non-Splash request expose your credentials to the request target. This includes `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`. Upgrade to scrapy-splash 0.8.0 and use the new `SPLASH_USER` and `SPLASH_PASS` settings instead to set your Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis, [using the `splash_headers` request parameter](https://github.com/scrapy-plugins/scrapy-splash/tree/0.8.x#http-basic-auth), instead of defining them globally using the [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth). Alternatively, make sure all your requests go through Splash. That includes disabling the [robots.txt middleware](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#topics-dlmw-robots)."}, {"lang": "es", "value": "Scrapy-splash es una biblioteca que proporciona integraci\u00f3n de Scrapy y JavaScript. En las versiones afectadas, unos usuarios que usan [\"HttpAuthMiddleware\"](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth) (es decir, los atributos \"http_user\" y \"http_pass\" de spider) para la autenticaci\u00f3n de Splash tendr\u00e1n cualquier petici\u00f3n que no sea de Scrapy expondr\u00e1 sus credenciales al objetivo de la petici\u00f3n. Esto incluye las peticiones \"robots.txt\" enviadas por Scrapy cuando la configuraci\u00f3n \"ROBOTSTXT_OBEY\" es establecida en \"True\". Actualice a scrapy-splash 0.8.0 y use los nuevos ajustes \"SPLASH_USER\" y \"SPLASH_PASS\" para establecer sus credenciales de autenticaci\u00f3n de Splash de forma segura. Si no puede actualizar, establezca sus credenciales de petici\u00f3n de Splash en base a cada petici\u00f3n, [usando el par\u00e1metro de petici\u00f3n \"splash_headers\"](https://github.com/scrapy-plugins/scrapy-splash/tree/0.8.x#http-basic-auth), en lugar de definirlas globalmente usando el [\"HttpAuthMiddleware\"](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth). Alternativamente, aseg\u00farate de que todas tus peticiones pasan mediante Splash. Esto incluye la deshabilitaci\u00f3n del middleware [robots.txt](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#topics-dlmw-robots)"}], "lastModified": "2021-10-14T13:50:26.630", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zyte:scrapy-splash:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C1C14A7-91D9-43EE-9494-C34DB5FAC73A", "versionEndExcluding": "0.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}