CVE-2024-3572 HIGH

CVE-2024-3572: XML External Entity (XXE) Vulnerability in scrapy/scrapy

Vendor Scrapy
Product scrapy/scrapy
Weakness CWE-409
Published April 16, 2024
Last update August 1, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Key dates

02Disclosure timeline

April 16, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE