CVE-2017-14158 — Scrapy denial of service vulnerability

Description

Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

How to fix CVE-2017-14158

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed
—no fix listed

Is CVE-2017-14158 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
>= 0.7, <= 2.15.2
>= 0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (8)

ADVISORYgithub.com/advisories/GHSA-h7wm-ph43-c39p
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-14158
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-14158
PATCHgithub.com/scrapy/scrapy
WEB