GHSA-mfjm-vh54-3f96

Suggest an improvement
Source
https://github.com/advisories/GHSA-mfjm-vh54-3f96
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-mfjm-vh54-3f96/GHSA-mfjm-vh54-3f96.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mfjm-vh54-3f96
Published
2022-03-01T22:13:28Z
Modified
2024-12-07T05:40:29.120017Z
Summary
Scrapy cookie-setting is not restricted based on the public suffix list
Details

Impact

Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from example.co.uk, given its public domain name suffix is co.uk) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.

Patches

Upgrade to Scrapy 2.6.0, which restricts cookies with their domain set to any of those in the public suffix list.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead.

Workarounds

The only workaround for unpatched versions of Scrapy is to disable cookies altogether, or limit target domains to a subset that does not include domain names with one of the public domain suffixes affected (those with 1 or more periods).

References

  • https://publicsuffix.org/

For more information

If you have any questions or comments about this advisory: * Open an issue * Email us

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-01T22:13:28Z"
}
References

Affected packages

PyPI / scrapy

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.2

Affected versions

0.*

0.7
0.8
0.9
0.10.4.2364
0.12.0.2550
0.14.1
0.14.2
0.14.3
0.14.4
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.20.0
0.20.1
0.20.2
0.22.0
0.22.1
0.22.2
0.24.0
0.24.1
0.24.2
0.24.3
0.24.4
0.24.5
0.24.6

1.*

1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0rc1
1.1.0rc2
1.1.0rc3
1.1.0rc4
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0
1.8.1

PyPI / scrapy

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.6.0

Affected versions

2.*

2.0.0
2.0.1
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.5.0
2.5.1