https://bugzilla.suse.com/show_bug.cgi?id=1222885 Bug ID: 1222885 Summary: VUL-0: CVE-2024-3572: python-Scrapy: Decompression bomb vulnerability Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/401985/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: dmueller@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: rfrohl@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3572 https://www.cve.org/CVERecord?id=CVE-2024-3572 https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b... https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb -- You are receiving this mail because: You are on the CC list for the bug.