CVE Vulnerabilities

CVE-2024-3572

Improper Handling of Highly Compressed Data (Data Amplification)

Published: Apr 16, 2024 | Modified: Apr 16, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Weakness

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Affected Software

Name Vendor Start Version End Version
Python-scrapy Ubuntu mantic *
Python-scrapy Ubuntu upstream *

References