7.5

CVE-2024-3572

Exploit

EPSS 0.16%
Veröffentlicht 16.04.2024 00:15:12
Zuletzt bearbeitet 28.07.2025 14:49:45
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Scrapy ≫ Scrapy Version < 2.11.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.371

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f

Patch

https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb

Third Party Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-3572

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3572

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3572

EUVD