7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
9.2%
The scrapy/scrapy project is vulnerable to XML External Entity (XXE)
attacks due to the use of lxml.etree.fromstring for parsing untrusted XML
data without proper validation. This vulnerability allows attackers to
perform denial of service attacks, access local files, generate network
connections, or circumvent firewalls by submitting specially crafted XML
data.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 23.10 | noarch | python-scrapy | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python-scrapy | < any | UNKNOWN |
github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f (2.11.1)
github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7
huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb
launchpad.net/bugs/cve/CVE-2024-3572
nvd.nist.gov/vuln/detail/CVE-2024-3572
security-tracker.debian.org/tracker/CVE-2024-3572
www.cve.org/CVERecord?id=CVE-2024-3572