Vulnerability DatabaseCVE-2024-1892
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-1892
February 28, 2024
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
Related Resources (8)
https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
https://github.com/scrapy/scrapy
https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2024-162.yaml
https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9
https://github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270b
https://docs.scrapy.org/en/latest/news.html#scrapy-1-8-4-2024-02-14
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Inefficient Regular Expression Complexity
CWE-1333
EPSS
Base Score:
0.06