Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authorization Header Leakage in scrapy/scrapy on Scheme Change Redirects
Vulnerability Description
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.
CVSS Information
N/A
Vulnerability Type
信息暴露
Vulnerability Title
scrapy 信息泄露漏洞
Vulnerability Description
Scrapy是一个用Python编写的自由且开源的网络爬虫框架。 scrapy存在信息泄露漏洞,该漏洞源于授权标头可能会无意中以明文形式暴露,从而导致潜在的敏感信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A