CVE-2017-7235
high
CVSS v3
8.8
CVSS v2
6.8
VIR risk
8.8
Description
An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://github.com/Anorov/cloudflare-scrape/releases/tag/1.8.0
Vendor advisory: cve@mitre.org — https://github.com/Anorov/cloudflare-scrape/issues/97
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | cfscrape | >=1.6.6,<1.8.0 | 1.8.0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cloudflare-scrape_project | cloudflare-scrape | 1.6.6 | |
| cloudflare-scrape_project | cloudflare-scrape | 1.6.7 | |
| cloudflare-scrape_project | cloudflare-scrape | 1.6.8 | |
| cloudflare-scrape_project | cloudflare-scrape | 1.7.0 | |
| cloudflare-scrape_project | cloudflare-scrape | 1.7.1 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2017-7235
- https://github.com/Anorov/cloudflare-scrape/issues/97
- https://github.com/Anorov/cloudflare-scrape
- https://github.com/Anorov/cloudflare-scrape/releases/tag/1.8.0
- https://github.com/advisories/GHSA-5mc5-5j6c-qmf9
- https://github.com/pypa/advisory-database/tree/main/vulns/cfscrape/PYSEC-2017-7.yaml
- https://web.archive.org/web/20170701161512/http://www.securityfocus.com/bid/97191
- http://www.securityfocus.com/bid/97191
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.