CVE-2023-35934 — Sensitive Information Exposure in Project Yt-dlp

CWE-200 — Sensitive Information Exposure CWE-601 — Open Redirect5 documents4 sources

Severity

8.2HIGHNVD

EPSS

0.6%

top 29.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yt-dlp Yt-dlp Project Yt-dlp Debian Youtube-dl +3 more

Timeline

PublishedJul 6

Description

yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.7

Affected Packages7 packages

▶PyPIyt-dlp/yt-dlp< 2023.7.06

▶debiandebian/yt-dlp< yt-dlp 2023.07.06-1 (forky)

▶debiandebian/youtube-dl< yt-dlp 2023.07.06-1 (forky)

▶NVDyt-dlp_project/yt-dlp< 2023.07.06+1

▶Debianyt-dlp/yt-dlp< 2023.07.06-1+1

Also affects: Fedora 37, 38

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

yt-dlp File Downloader cookie leak↗2023-07-06

▶

OSV

CVE-2023-35934: yt-dlp is a command-line program to download videos from video sites↗2023-07-06

▶

GHSA

yt-dlp File Downloader cookie leak↗2023-07-06

▶

📋Vendor Advisories

Debian

CVE-2023-35934: youtube-dl - yt-dlp is a command-line program to download videos from video sites. During fil...↗2023

▶