CVE-2024-1968: 
Python vulnerability analysis and mitigation

In scrapy/scrapy, a security vulnerability (CVE-2024-1968) was identified where the Authorization header is not properly handled during redirects that change the scheme (e.g., HTTPS to HTTP) while remaining within the same domain. This vulnerability was discovered in May 2024 and affects the redirect middleware functionality of the Scrapy framework (NVD).

The vulnerability exists in the buildredirect_request function of the redirect middleware. The issue occurs when the Authorization header is not removed during redirects that only change the scheme but remain within the same domain. This behavior violates the Fetch standard, which requires the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes (Github Commit). The vulnerability has been assigned a CVSS v3.0 base score of 7.5 (HIGH) with vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

When a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, potentially leading to the disclosure of sensitive authentication information to unauthorized actors (NVD).

A fix has been implemented in the Scrapy framework that properly handles the Authorization header during redirects. The fix ensures compliance with the Fetch standard by removing the Authorization header when appropriate during cross-origin requests (Github Commit).