mend-bolt-for-github[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
A high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/5d/12/a6197eaf97385e96fd8ec56627749a6229a9b3178ad73866a0b1fb377379/Scrapy-1.5.1-py2.py3-none-any.whl
Path to dependency file: /ci/requirements.txt
Path to vulnerable library: /ci/requirements.txt
Found in HEAD commit: 4365b26096e64c91477237871b08ec9ab84069e1
Vulnerabilities
Details
CVE-2021-41125
### Vulnerable Library - Scrapy-1.5.1-py2.py3-none-any.whlA high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/5d/12/a6197eaf97385e96fd8ec56627749a6229a9b3178ad73866a0b1fb377379/Scrapy-1.5.1-py2.py3-none-any.whl
Path to dependency file: /ci/requirements.txt
Path to vulnerable library: /ci/requirements.txt
Dependency Hierarchy: - :x: **Scrapy-1.5.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 4365b26096e64c91477237871b08ec9ab84069e1
Found in base branch: develop
### Vulnerability DetailsScrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.
Publish Date: 2021-10-06
URL: CVE-2021-41125
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jwqp-28gf-p498
Release Date: 2021-10-06
Fix Resolution: scrapy - 1.8.1, 2.5.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0577
### Vulnerable Library - Scrapy-1.5.1-py2.py3-none-any.whlA high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/5d/12/a6197eaf97385e96fd8ec56627749a6229a9b3178ad73866a0b1fb377379/Scrapy-1.5.1-py2.py3-none-any.whl
Path to dependency file: /ci/requirements.txt
Path to vulnerable library: /ci/requirements.txt
Dependency Hierarchy: - :x: **Scrapy-1.5.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 4365b26096e64c91477237871b08ec9ab84069e1
Found in base branch: develop
### Vulnerability DetailsExposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
Publish Date: 2022-03-02
URL: CVE-2022-0577
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-mfjm-vh54-3f96
Release Date: 2022-03-02
Fix Resolution: Scrapy - 1.8.2,2.6.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0091
### Vulnerable Library - Scrapy-1.5.1-py2.py3-none-any.whlA high-level Web Crawling and Web Scraping framework
Library home page: https://files.pythonhosted.org/packages/5d/12/a6197eaf97385e96fd8ec56627749a6229a9b3178ad73866a0b1fb377379/Scrapy-1.5.1-py2.py3-none-any.whl
Path to dependency file: /ci/requirements.txt
Path to vulnerable library: /ci/requirements.txt
Dependency Hierarchy: - :x: **Scrapy-1.5.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 4365b26096e64c91477237871b08ec9ab84069e1
Found in base branch: develop
### Vulnerability DetailsScrapy versions prior to 1.8.2 and prior to 2.6.0 are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.
Publish Date: 2022-03-02
URL: WS-2022-0091
### CVSS 3 Score Details (4.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)