GHSA-mfjm-vh54-3f96
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mfjm-vh54-3f96
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-mfjm-vh54-3f96/GHSA-mfjm-vh54-3f96.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mfjm-vh54-3f96
- Published
- 2022-03-01T22:13:28Z
- Modified
- 2024-02-16T08:08:25.982364Z
- Summary
- Scrapy cookie-setting is not restricted based on the public suffix list
- Details
-
Impact
Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from
example.co.uk, given its public domain name suffix isco.uk) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.Patches
Upgrade to Scrapy 2.6.0, which restricts cookies with their domain set to any of those in the public suffix list.
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead.
Workarounds
The only workaround for unpatched versions of Scrapy is to disable cookies altogether, or limit target domains to a subset that does not include domain names with one of the public domain suffixes affected (those with 1 or more periods).
References
- https://publicsuffix.org/
For more information
If you have any questions or comments about this advisory: * Open an issue * Email us
- References
Affected packages
PyPI / scrapy
Package
- Name
- scrapy
- View open source insights on deps.dev
- Purl
- pkg:pypi/scrapy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.8.2
Affected versions
0.*
1.*
PyPI / scrapy
Package
- Name
- scrapy
- View open source insights on deps.dev
- Purl
- pkg:pypi/scrapy