Lucene search

Veracode Vulnerability DatabaseVERACODE:46382

HistoryApr 12, 2024 - 10:28 a.m.

OS Command Injection

2024-04-1210:28:04

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

yt-dlp vulnerability

os command injection

output templates

software

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.9%

JSON

yt-dlp is vulnerable to OS Command Injection. This vulnerability is due to insufficient escaping of special characters, specifically in the expansion of output templates within the --exec option.

CPENameOperatorVersion
yt-dlple2024.4.8.232708.dev0
yt-dlple2024.4.8.232708.dev0

CPE	Name	Operator	Version
	yt-dlp	le	2024.4.8.232708.dev0
	yt-dlp	le	2024.4.8.232708.dev0

References

github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e

github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a

github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11

github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09

github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg

github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p

www.kb.cert.org/vuls/id/123335

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.9%

JSON

Related for VERACODE:46382