CVE-2024-3572 — Scrapy decompression bomb vulnerability

Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

How to fix CVE-2024-3572

To remediate CVE-2024-3572, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 2.11.1 or later

Is CVE-2024-3572 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 2.0.0, < 2.11.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-3572
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-3572
PATCHgithub.com/scrapy/scrapy
WEBdocs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
WEB