FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
2ad25820-c71a-4e6c-bb99-770c66fe496d	py-Scrapy -- credentials leak vulnerability When the built-in HTTP proxy downloader middleware processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set. There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request. Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware. These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy. If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under Workarounds below. If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough; patching that downloader middlware may be necessary as well. Discovery 2022-07-29 Entry 2023-08-31 py37-Scrapy py38-Scrapy py39-Scrapy py310-Scrapy py311-Scrapy < 1.8.3 ge 2.0.0 lt 2.6.2 https://osv.dev/vulnerability/GHSA-9x8m-2xpf-crp3
4eb5dccb-923c-4f18-9cd4-b53f9e28d4d7	py-Scrapy -- DoS vulnerability kmike and nramirezuy report: Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore. Discovery 2017-09-05 Entry 2023-08-31 py37-Scrapy py38-Scrapy py39-Scrapy py310-Scrapy py311-Scrapy le 2.8.0 CVE-2017-14158 https://osv.dev/vulnerability/PYSEC-2017-83 https://osv.dev/vulnerability/GHSA-h7wm-ph43-c39p
67fe5e5b-549f-4a2a-9834-53f60eaa415e	py-Scrapy -- exposure of sensitive information vulnerability ranjit-git reports: Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. Discovery 2022-03-02 Entry 2023-08-31 py37-Scrapy py38-Scrapy py39-Scrapy py310-Scrapy py311-Scrapy < 2.6.1 CVE-2022-0577 https://osv.dev/vulnerability/PYSEC-2022-159 https://osv.dev/vulnerability/GHSA-cjvr-mfj7-j4j8
a5403af6-225e-48ba-b233-bd95ad26434a	py-Scrapy -- cookie injection vulnerability Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix. Discovery 2022-03-01 Entry 2023-08-31 py37-Scrapy py38-Scrapy py39-Scrapy py310-Scrapy py311-Scrapy < 1.8.2 ge 2.0.0 lt 2.6.0 https://osv.dev/vulnerability/GHSA-mfjm-vh54-3f96