Vulnerability Description
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Scrapy | Scrapy | <= 1.8.4 |
Related Weaknesses (CWE)
References
- https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8Patch
- https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1aExploitThird Party Advisory
- https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8Patch
- https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1aExploitThird Party Advisory
FAQ
What is CVE-2024-1968?
CVE-2024-1968 is a vulnerability with a CVSS score of 7.5 (HIGH). In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behav...
How severe is CVE-2024-1968?
CVE-2024-1968 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-1968?
Check the references section above for vendor advisories and patch information. Affected products include: Scrapy Scrapy.