Upstream information

CVE-2023-46121 at MITRE

Description

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

SUSE information

Overall state of this security issue: Resolved

This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.

CVSS v3 Scores
  National Vulnerability Database
Base Score 3.7
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact Low
Integrity Impact None
Availability Impact None
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1217153 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 15 SP5
  • python311-yt-dlp >= 2023.11.14-bp155.3.3.1
  • yt-dlp >= 2023.11.14-bp155.3.3.1
  • yt-dlp-bash-completion >= 2023.11.14-bp155.3.3.1
  • yt-dlp-fish-completion >= 2023.11.14-bp155.3.3.1
  • yt-dlp-zsh-completion >= 2023.11.14-bp155.3.3.1
Patchnames:
openSUSE-2023-374
openSUSE Leap 15.5
  • python311-yt-dlp >= 2023.11.14-bp155.3.3.1
  • yt-dlp >= 2023.11.14-bp155.3.3.1
  • yt-dlp-bash-completion >= 2023.11.14-bp155.3.3.1
  • yt-dlp-fish-completion >= 2023.11.14-bp155.3.3.1
  • yt-dlp-zsh-completion >= 2023.11.14-bp155.3.3.1
Patchnames:
openSUSE-2023-374
openSUSE Tumbleweed
  • python310-yt-dlp >= 2023.11.16-1.1
  • python311-yt-dlp >= 2023.11.16-1.1
  • python39-yt-dlp >= 2023.11.16-1.1
  • yt-dlp >= 2023.11.16-1.1
  • yt-dlp-bash-completion >= 2023.11.16-1.1
  • yt-dlp-fish-completion >= 2023.11.16-1.1
  • yt-dlp-zsh-completion >= 2023.11.16-1.1
Patchnames:
openSUSE-Tumbleweed-2024-13435


SUSE Timeline for this CVE

CVE page created: Wed Nov 15 03:00:08 2023
CVE page last modified: Tue Sep 3 19:30:42 2024