Miggo Logo

CVE-2021-41125: Scrapy HTTP authentication credentials potentially leaked to target websites

5.7

CVSS Score
3.1

Basic Information

EPSS Score
0.61032%
Published
10/6/2021
Updated
10/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Scrapypip< 1.8.11.8.1
Scrapypip>= 2.0.0, < 2.5.12.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from HttpAuthMiddleware's unconditional credential handling. The pre-patch code in httpauth.py's process_request method added Basic Auth headers to every request (if http_user/http_pass were set), regardless of target domain. The commit b01d69a introduced domain validation checks (urlparse_cached + url_is_from_any_domain) to restrict credential exposure. The vulnerable function is clearly the process_request implementation that lacked these domain checks, leading to credential leakage across domains.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* you us* [`*ttp*ut*Mi**l*w*r*`](*ttp://*o*.s*r*py.or*/*n/l*t*st/topi*s/*ownlo***r-mi**l*w*r*.*tml#mo*ul*-s*r*py.*ownlo***rmi**l*w*r*s.*ttp*ut*) (i.*. t** `*ttp_us*r` *n* `*ttp_p*ss` spi**r *ttri*ut*s) *or *TTP *ut**nti**tion, *ll r*qu*s

Reasoning

T** vuln*r**ility st*ms *rom *ttp*ut*Mi**l*w*r*'s un*on*ition*l *r***nti*l **n*lin*. T** pr*-p*t** *o** in *ttp*ut*.py's pro**ss_r*qu*st m*t*o* ***** **si* *ut* *****rs to *v*ry r*qu*st (i* *ttp_us*r/*ttp_p*ss w*r* s*t), r***r*l*ss o* t*r**t *om*in.