Test ID:	1.3.6.1.4.1.25623.1.1.12.2025.7476.1
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-7476-1)
Summary:	The remote host is missing an update for the 'python-scrapy' package(s) announced via the USN-7476-1 advisory.
Description:	Summary: The remote host is missing an update for the 'python-scrapy' package(s) announced via the USN-7476-1 advisory. Vulnerability Insight: It was discovered that Scrapy improperly exposed HTTP authentication credentials to request targets, including during redirects. An attacker could use this issue to gain unauthorized access to user accounts. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-41125) It was discovered that Scrapy did not remove the cookie header during cross-domain redirects. An attacker could possibly use this issue to gain unauthorized access to user accounts. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-0577) It was discovered that Scrapy inefficiently parsed XML content. An attacker could use this issue to cause a denial of service by sending a crafted XML response. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-1892) It was discovered that Scrapy did not properly check response size during decompression. An attacker could send a crafted response that would exhaust memory and cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-3572) It was discovered that Scrapy did not remove the authorization header during cross-domain redirects. An attacker could possibly use this issue to gain unauthorized access to user accounts. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-3574) It was discovered that Scrapy did not remove the authorization header during redirects that change scheme but remain in the same domain. This issue could possibly be used by an attacker to expose sensitive information or to gain unauthorized access to user accounts. (CVE-2024-1968) Affected Software/OS: 'python-scrapy' package(s) on Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04. Solution: Please install the updated package(s). CVSS Score: 4.0 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-41125 https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498 http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6 https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html Common Vulnerability Exposure (CVE) ID: CVE-2022-0577 https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585 https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a Common Vulnerability Exposure (CVE) ID: CVE-2024-1892 https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b Common Vulnerability Exposure (CVE) ID: CVE-2024-1968 https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8 https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a Common Vulnerability Exposure (CVE) ID: CVE-2024-3572 https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb Common Vulnerability Exposure (CVE) ID: CVE-2024-3574 https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75 https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
Copyright	Copyright (C) 2025 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.