U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-1968

Change History

New CVE Received from huntr.dev 5/20/2024 4:15:08 AM

Action Type Old Value New Value
Added Description

								
							
							
						
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.
Added CVSS V3

								
							
							
						
huntr.dev AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Added CWE

								
							
							
						
huntr.dev CWE-200
Added Reference

								
							
							
						
huntr.dev https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8 [No types assigned]
Added Reference

								
							
							
						
huntr.dev https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a [No types assigned]