CVE-2021-41125 (Medium) detected in Scrapy-1.5.1-py2.py3-none-any.whl

## CVE-2021-41125 - Medium Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - Scrapy-1.5.1-py2.py3-none-any.whl</summary>

A high-level Web Crawling and Web Scraping framework
Library home page: <a href="https://files.pythonhosted.org/packages/5d/12/a6197eaf97385e96fd8ec56627749a6229a9b3178ad73866a0b1fb377379/Scrapy-1.5.1-py2.py3-none-any.whl">https://files.pythonhosted.org/packages/5d/12/a6197eaf97385e96fd8ec56627749a6229a9b3178ad73866a0b1fb377379/Scrapy-1.5.1-py2.py3-none-any.whl</a>
Path to dependency file: /scrapers/requirements.txt
Path to vulnerable library: /scrapers/requirements.txt


Dependency Hierarchy:
 - :x: **Scrapy-1.5.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: <a href="https://api.github.com/repos/OSWeekends/eventpoints-backend/git/commits/35017e222f0982c0f71acdb8134994d36da4c50f">35017e222f0982c0f71acdb8134994d36da4c50f</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png' width=19 height=20> Vulnerability Details</summary>
 
 
Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.

Publish Date: 2021-10-06
URL: <a href=https://vuln.whitesourcesoftware.com/vulnerability/CVE-2021-41125>CVE-2021-41125</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (6.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: Low
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: High
 - Integrity Impact: None
 - Availability Impact: None

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://github.com/advisories/GHSA-jwqp-28gf-p498">https://github.com/advisories/GHSA-jwqp-28gf-p498</a>
Release Date: 2021-10-06
Fix Resolution: scrapy - 1.8.1, 2.5.1


</details>


***
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2021-41125 (Medium) detected in Scrapy-1.5.1-py2.py3-none-any.whl #110

CVE-2021-41125 - Medium Severity Vulnerability

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2021-41125 (Medium) detected in Scrapy-1.5.1-py2.py3-none-any.whl #110

Description

CVE-2021-41125 - Medium Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions