12 matches found
Linux Distros Unpatched Vulnerability : CVE-2024-22423
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by...
TencentOS Server 4: yt-dlp (TSSA-2024:1138)
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:1138 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...
SUSE CVE-2024-22423
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment...
yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
Summary The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in --exec, alo...
africanwhisper (>=0.2.8 <=0.9.0), agentx-tools (>=0.2.0 <=0.7.1) +114 more potentially affected by CVE-2024-22423 via yt-dlp (>=2021.9.2 <=2024.3.10)
yt-dlp PYPI version =2021.9.2, =0.2.8, =0.2.0, =2023.3.3, =0.1.0, =0.3.0, =0.1.0, =0.0.4, =0.9.0, =0.1.0, =1.4.0, =2024.3.25, =1.1.1, =0.1.0, =0.3.2 and more Source cves: CVE-2024-22423 Source advisory: OSV:GHSA-HJQ6-52GW-2G7P...
Multiple programming languages fail to escape arguments properly in Microsoft Windows
Overview Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Window...
CVE-2024-22423
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment...
CVE-2024-22423 yt-dlp `--exec` command injection when using `%q` in yt-dlp on Windows
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment...
CVE-2024-22423 yt-dlp `--exec` command injection when using `%q` in yt-dlp on Windows
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment...
CVE-2024-22423
VULNERABILITY DETAIL: CVE-2024-22423 affects yt-dlp where output template expansion in --exec (previously vulnerable with %q) could lead to remote command execution via environment-variable expansion. Root cause: insufficient escaping of % characters in Windows command lines, despite earlier fixe...
CVE-2024-22423 yt-dlp `--exec` command injection when using `%q` in yt-dlp on Windows
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment...
africanwhisper (>=0.2.8 <=0.9.0), agentx-tools (>=0.2.0 <=0.7.1) +74 more potentially affected by CVE-2023-40581 +1 more via yt-dlp (>=2021.9.2 <=2023.7.6)
yt-dlp PYPI version =2021.9.2, =0.2.8, =0.2.0, =2023.3.3, =0.1.0, =0.3.0, =0.0.4, =1.4.0, =0.1.0, =1.0.2, =2.0.0a1, =11.7.1, =2.3.10, =3.0.1 and more Source cves: CVE-2023-40581, CVE-2024-22423 Source advisory: OSV:GHSA-42H4-V29R-42QG...