We use cookies to improve your experience on our site.
AVID-2026-R0887
Description
Splash authentication credentials potentially leaked to target websites in scrapy-splash (CVE-2021-41124)
Details
Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for Splash authentication will have any non-Splash request expose your credentials to the request target. This includes robots.txt requests sent by Scrapy when the ROBOTSTXT_OBEY setting is set to True. Upgrade to scrapy-splash 0.8.0 and use the new SPLASH_USER and SPLASH_PASS settings instead to set your Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis, using the splash_headers request parameter, instead of defining them globally using the HttpAuthMiddleware. Alternatively, make sure all your requests go through Splash. That includes disabling the robots.txt middleware.
Reason for inclusion in AVID: CVE-2021-41124 describes a credential leakage vulnerability in Scrapy-Splash when using HttpAuthMiddleware, exposing authentication data to target websites. Scrapy-Splash is a library used in data collection pipelines, which can be part of AI data ingestions and general-purpose AI system workflows. This constitutes a software supply-chain vulnerability in components that could be used to build AI systems (data harvesting/processing stacks). The vulnerability is clearly security-related (credential exposure) with actionable mitigations.
References
- NVD entry
- https://github.com/scrapy-plugins/scrapy-splash/security/advisories/GHSA-823f-cwm9-4g74
- https://github.com/scrapy-plugins/scrapy-splash/commit/2b253e57fe64ec575079c8cdc99fe2013502ea31
Affected or Relevant Artifacts
- Developer: scrapy-plugins
- Deployer: scrapy-plugins
- Artifact Details:
| Type | Name |
|---|---|
| System | scrapy-splash |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
| Base Score | 7.4 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-200 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-10-05
- Version: 0.3.3
- AVID Entry