Name of the Vulnerable Software and Affected Versions Scrapy versions prior to 2.6.0 Scrapy versions 1.8.0 through 1.8.1

Description The issue allows responses from domain names with public domain name suffixes containing one or more periods to set cookies that are included in requests to any other domain sharing the same domain name suffix. This can be exploited by setting cookies for domains such as example.co.uk, given its public domain name suffix is co.uk, allowing the cookies to be included in requests to other domains with the same suffix.

Recommendations For Scrapy versions prior to 1.8.2, upgrade to Scrapy 1.8.2. For Scrapy versions prior to 2.6.0, upgrade to Scrapy 2.6.0. As a temporary workaround for unpatched versions, consider disabling cookies altogether by setting COOKIES ENABLED to False, or limit target domains to a subset that does not include domain names with one of the public domain suffixes affected.