CVE-2023-46121

Generic Extractor MITM Vulnerability in yt-dlp

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

yt-dlp es una bifurcación de youtube-dl con funciones y correcciones adicionales. The Generic Extractor en yt-dlp es vulnerable a que un atacante configure un proxy arbitrario para una solicitud en una URL arbitraria, lo que le permite al atacante realizar MITM la solicitud realizada desde la sesión HTTP de yt-dlp. En algunos casos, esto podría provocar la exfiltración de cookies. La versión 2023.11.14 eliminó la capacidad de pasar de contrabando `http_headers` al extractor genérico, así como a otros extractores que usan el mismo patrón. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben desactivar el extractor Ggneric (o solo pasar por sitios confiables con contenido confiable) y tener cuidado al usar `--no-check-certificate`.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-16 CVE Reserved
2023-11-14 CVE Published
2024-08-29 CVE Updated
2024-10-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (3)

URL	Tag	Source
https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb	2023-11-22

URL	Date	SRC
https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x	2023-11-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Yt-dlp Project Search vendor "Yt-dlp Project"		Yt-dlp Search vendor "Yt-dlp Project" for product "Yt-dlp"				>= 2022.10.04 < 2023.11.14 Search vendor "Yt-dlp Project" for product "Yt-dlp" and version " >= 2022.10.04 < 2023.11.14"		-		Affected