MEDIUM 6.5
PYSEC-2024-162
상세
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
PyPI / scrapy
최초 영향 버전:
0 수정 버전: 479619b340f197a8f24c5db45bc068fb8755f2c5 수정
pip install --upgrade 'scrapy>=479619b340f197a8f24c5db45bc068fb8755f2c5' 참고
- https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b [EVIDENCE]
- https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 [FIX]
- https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b [FIX]
- https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b [REPORT]
- https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b [WEB]
- https://github.com/advisories/GHSA-cc65-xxvf-f7r9 [ADVISORY]