{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T22:44:39.637","vulnerabilities":[{"cve":{"id":"CVE-2021-41124","sourceIdentifier":"security-advisories@github.com","published":"2021-10-05T21:15:09.590","lastModified":"2026-06-17T04:07:55.193","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth) (i.e. the `http_user` and `http_pass` spider attributes) for Splash authentication will have any non-Splash request expose your credentials to the request target. This includes `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`. Upgrade to scrapy-splash 0.8.0 and use the new `SPLASH_USER` and `SPLASH_PASS` settings instead to set your Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis, [using the `splash_headers` request parameter](https://github.com/scrapy-plugins/scrapy-splash/tree/0.8.x#http-basic-auth), instead of defining them globally using the [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth). Alternatively, make sure all your requests go through Splash. That includes disabling the [robots.txt middleware](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#topics-dlmw-robots)."},{"lang":"es","value":"Scrapy-splash es una biblioteca que proporciona integración de Scrapy y JavaScript. En las versiones afectadas, unos usuarios que usan [\"HttpAuthMiddleware\"](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth) (es decir, los atributos \"http_user\" y \"http_pass\" de spider) para la autenticación de Splash tendrán cualquier petición que no sea de Scrapy expondrá sus credenciales al objetivo de la petición. Esto incluye las peticiones \"robots.txt\" enviadas por Scrapy cuando la configuración \"ROBOTSTXT_OBEY\" es establecida en \"True\". Actualice a scrapy-splash 0.8.0 y use los nuevos ajustes \"SPLASH_USER\" y \"SPLASH_PASS\" para establecer sus credenciales de autenticación de Splash de forma segura. Si no puede actualizar, establezca sus credenciales de petición de Splash en base a cada petición, [usando el parámetro de petición \"splash_headers\"](https://github.com/scrapy-plugins/scrapy-splash/tree/0.8.x#http-basic-auth), en lugar de definirlas globalmente usando el [\"HttpAuthMiddleware\"](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth). Alternativamente, asegúrate de que todas tus peticiones pasan mediante Splash. Esto incluye la deshabilitación del middleware [robots.txt](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#topics-dlmw-robots)"}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"scrapy-plugins","product":"scrapy-splash","versions":[{"version":"< 0.8.0","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:zyte:scrapy-splash:*:*:*:*:*:*:*:*","versionEndExcluding":"0.8.0","matchCriteriaId":"5C1C14A7-91D9-43EE-9494-C34DB5FAC73A"}]}]}],"references":[{"url":"https://github.com/scrapy-plugins/scrapy-splash/commit/2b253e57fe64ec575079c8cdc99fe2013502ea31","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/scrapy-plugins/scrapy-splash/security/advisories/GHSA-823f-cwm9-4g74","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/scrapy-plugins/scrapy-splash/commit/2b253e57fe64ec575079c8cdc99fe2013502ea31","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/scrapy-plugins/scrapy-splash/security/advisories/GHSA-823f-cwm9-4g74","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}