CVE-2022-0768
published 2022-02-28CVE-2022-0768: Server-Side Request Forgery (SSRF) in GitHub repository rudloff/alltube prior to 3.0.2.
PriorityP347critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.62%
73.0th percentile
Server-Side Request Forgery (SSRF) in GitHub repository rudloff/alltube prior to 3.0.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alltubedownload | alltube | < 3.0.2 | 3.0.2 |
| rudloff | alltube | >= 0 < 3.0.2 | 3.0.2 |
| rudloff | rudloff_alltube | >= unspecified < 3.0.2 | 3.0.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Server-Side Request Forgery (SSRF) in rudloff/alltube
osv·2022-03-01·CVSS 9.1
CVE-2022-0768 [CRITICAL] Server-Side Request Forgery (SSRF) in rudloff/alltube
Server-Side Request Forgery (SSRF) in rudloff/alltube
### Impact
Releases prior to 3.0.2 are vulnerable to a Server-Side Request Forgery vulnerability that allows an attacker to send a request to an internal hostname.
### Patches
3.0.2 contains a fix for this vulnerability.
(The 1.x and 2.x releases are not maintained anymore.)
Part of the fix requires applying [a patch](https://github.com/Rudloff/alltube/blob/148a171b240e7ceb076b9e198bef412de14ac55d/patches/youtube-dl-redirect.diff) to youtube-dl to prevent it from following HTTP redirects. If you are using the version of youtube-dl bundled with 3.0.2, it is already patched.
However, if you are using your own unpatched version of youtube-dl **you might still be vulnerable**.
### References
* https://github.com/Rudloff/alltube/commit/3
GHSA
Server-Side Request Forgery (SSRF) in rudloff/alltube
ghsa·2022-03-01·CVSS 9.1
CVE-2022-0768 [CRITICAL] CWE-918 Server-Side Request Forgery (SSRF) in rudloff/alltube
Server-Side Request Forgery (SSRF) in rudloff/alltube
### Impact
Releases prior to 3.0.2 are vulnerable to a Server-Side Request Forgery vulnerability that allows an attacker to send a request to an internal hostname.
### Patches
3.0.2 contains a fix for this vulnerability.
(The 1.x and 2.x releases are not maintained anymore.)
Part of the fix requires applying [a patch](https://github.com/Rudloff/alltube/blob/148a171b240e7ceb076b9e198bef412de14ac55d/patches/youtube-dl-redirect.diff) to youtube-dl to prevent it from following HTTP redirects. If you are using the version of youtube-dl bundled with 3.0.2, it is already patched.
However, if you are using your own unpatched version of youtube-dl **you might still be vulnerable**.
### References
* https://github.com/Rudloff/alltube/commit/3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-28
Published