CVE-2023-46121

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-46121

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46121.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-46121

Aliases

GHSA-3ch3-jhc6-5r8x

Related

Published

2023-11-15T00:15:09Z

Modified

2024-10-12T11:08:14.122376Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle http_headers to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using --no-check-certificate.

References

Affected packages

Debian:12 / yt-dlp

Package

Name: yt-dlp
Purl: pkg:deb/debian/yt-dlp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2023.*

2023.03.04-1

2023.06.21-1

2023.06.22-1~bpo12+1

2023.06.22-1

2023.07.06-1~bpo12+1

2023.07.06-1

2023.09.24-1

2023.09.24-2~bpo12+1

2023.09.24-2

2023.10.07-1~bpo12+1

2023.10.07-1

2023.10.13-1~bpo11+1

2023.10.13-1~bpo12+1

2023.10.13-1

2023.11.16-1~bpo11+1

2023.11.16-1~bpo12+1

2023.11.16-1

2023.12.30-1

2024.*

2024.03.10-1~bpo12+1

2024.03.10-1

2024.04.09-1~bpo12+1

2024.04.09-1

2024.05.26-1~bpo12+1

2024.05.26-1

2024.05.27-1~bpo12+1

2024.05.27-1

2024.07.01-1

2024.07.02-1~bpo12+1

2024.07.02-1

2024.07.07-1

2024.07.09-1~bpo12+1

2024.07.09-1

2024.07.16-1~bpo12+1

2024.07.16-1

2024.07.25-1~bpo12+1

2024.07.25-1

2024.08.01-1~bpo12+1

2024.08.01-1

2024.08.06-1~bpo12+1

2024.08.06-1

2024.09.27-1~bpo12+1

2024.09.27-1

2024.10.07-1~bpo12+1

2024.10.07-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / yt-dlp

Package

Name: yt-dlp
Purl: pkg:deb/debian/yt-dlp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2023.11.16-1

Affected versions

2023.*

2023.03.04-1

2023.06.21-1

2023.06.22-1~bpo12+1

2023.06.22-1

2023.07.06-1~bpo12+1

2023.07.06-1

2023.09.24-1

2023.09.24-2~bpo12+1

2023.09.24-2

2023.10.07-1~bpo12+1

2023.10.07-1

2023.10.13-1~bpo11+1

2023.10.13-1~bpo12+1

2023.10.13-1

2023.11.16-1~bpo11+1

2023.11.16-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/yt-dlp/yt-dlp

Affected ranges

Type: GIT
Repo: https://github.com/yt-dlp/yt-dlp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f04b5bedad7b281bee9814686bba1762bae092eb

Affected versions

2021.*

2021.01.07

2021.01.08

2021.01.09

2021.01.10

2021.01.12

2021.01.14

2021.01.16

2021.01.20

2021.01.29

2021.02.04

2021.02.09

2021.02.15

2021.02.19

2021.02.24

2021.03.01

2021.03.03.2

2021.03.07

2021.03.15

2021.03.24

2021.03.24.1

2021.04.03

2021.04.11

2021.04.22

2021.05.11

2021.06.01

2021.06.08

2021.06.09

2021.06.23

2021.07.07

2021.07.21

2021.07.24

2021.08.02

2021.08.10

2021.09.02

2021.09.25

2021.10.09

2021.10.10

2021.10.22

2021.11.10

2021.11.10.1

2021.12.01

2021.12.25

2021.12.27

2022.*

2022.02.03

2022.02.04

2022.03.08.1

2022.04.08

2022.05.18

2022.06.22

2022.06.22.1

2022.06.29

2022.07.18

2022.08.08

2022.08.14

2022.08.19

2022.09.01

2022.10.04

2022.11.11

2023.*

2023.01.02

2023.01.06

2023.02.17

2023.03.03

2023.03.04

2023.06.21

2023.06.22

2023.07.06

2023.09.24

2023.10.07

2023.10.13