Home > Vulnerability Database > CVE-2024-3572

Mend.io Vulnerability Database

CVE-2024-3572

Good to know:

Date: April 15, 2024

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Language: Python

Severity Score

7.5

Related Resources (5)

Url: https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3572

Url: https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f

Url: https://security-tracker.debian.org/tracker/CVE-2024-3572

Url: https://www.mend.io/vulnerability-database/CVE-2024-3572

Severity Score

7.5

Weakness Type (CWE)

Improper Handling of Highly Compressed Data (Data Amplification)

CWE-409

Top Fix

Upgrade Version

Upgrade to version scrapy - 2.11.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3572

Good to know:

Date: April 15, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?