Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnrichmentGitHub_MVULNRICHMENT:CVE-2023-46121
HistoryNov 14, 2023 - 11:31 p.m.

CVE-2023-46121 Generic Extractor MITM Vulnerability in yt-dlp

2023-11-1423:31:55
CWE-444
GitHub_M
github.com
4
yt-dlp
generic extractor
mitm
vulnerability
http session
cookie exfiltration
version 2023.11.14
upgrade
disable
--no-check-certificate

CVSS3

5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

partial

JSON

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp’s HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle http_headers to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using --no-check-certificate.

Related

alpinelinux 1
github 1
prion 1
cve 1
ubuntucve 1
veracode 1
nvd 1
debiancve 1
osv 3
cvelist 1
openvas 1
nessus 1
gentoo 1
alpinelinux
alpinelinux
CVE-2023-46121
2023-11-15 00:15:09
github
github
yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
2023-11-15 14:48:24
prion
prion
Design/Logic Flaw
2023-11-15 00:15:00
cve
cve
CVE-2023-46121
2023-11-15 00:15:09
ubuntucve
ubuntucve
CVE-2023-46121
2023-11-15 00:00:00
veracode
veracode
HTTP Request Smuggling
2023-11-15 08:35:11
nvd
nvd
CVE-2023-46121
2023-11-15 00:15:09
debiancve
debiancve
CVE-2023-46121
2023-11-15 00:15:09
osv
osv
CVE-2023-46121
2023-11-15 00:15:09
yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
2023-11-15 14:48:24
python310-yt-dlp-2023.11.16-1.1 on GA media
2024-06-15 00:00:00
cvelist
cvelist
CVE-2023-46121 Generic Extractor MITM Vulnerability in yt-dlp
2023-11-14 23:31:55
openvas
openvas
openSUSE: Security Advisory for yt (openSUSE-SU-2023:0374-1)
2024-03-04 00:00:00
nessus
nessus
openSUSE 15 Security Update : yt-dlp (openSUSE-SU-2023:0374-1)
2023-11-19 00:00:00
gentoo
gentoo
yt-dlp: Multiple Vulnerabilities
2024-09-28 00:00:00

CVSS3

5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

partial

JSON
Related for VULNRICHMENT:CVE-2023-46121
alpinelinux1github1prion1cve1ubuntucve1veracode1nvd1debiancve1osv3cvelist1openvas1nessus1gentoo1