CVE-2024-1968 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2024-1968 Interim 1 4 2025-02-16T01:50:28Z current 2024-05-20T23:12:18Z 2025-02-16T01:50:28Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2024-1968 In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Tumbleweed python-Scrapy-doc-2.11.2-1.1 python310-Scrapy-2.11.2-1.1 python311-Scrapy-2.11.2-1.1 python312-Scrapy-2.11.2-1.1 python-Scrapy-doc-2.11.2-1.1 as a component of openSUSE Tumbleweed python310-Scrapy-2.11.2-1.1 as a component of openSUSE Tumbleweed python311-Scrapy-2.11.2-1.1 as a component of openSUSE Tumbleweed python312-Scrapy-2.11.2-1.1 as a component of openSUSE Tumbleweed In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware. CVE-2024-1968 openSUSE Tumbleweed:python-Scrapy-doc-2.11.2-1.1 openSUSE Tumbleweed:python310-Scrapy-2.11.2-1.1 openSUSE Tumbleweed:python311-Scrapy-2.11.2-1.1 openSUSE Tumbleweed:python312-Scrapy-2.11.2-1.1 moderate 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N