CVE-2024-38519Incorrect Resource Transfer Between Spheres in Youtube-dl

CWE-669Incorrect Resource Transfer Between SpheresCWE-434Unrestricted File Upload5 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 86.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Yt-dlpYtdl-org Youtube-dlDebian Youtube-dl+1 more
Timeline
PublishedJul 2

Description

`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5yt-dlp/yt-dlp< 2024.07.01
PyPIyt-dlp/yt-dlp< 2024.07.01
debiandebian/yt-dlp< yt-dlp 2024.07.01-1 (forky)
debiandebian/youtube-dl< yt-dlp 2024.07.01-1 (forky)
CVEListV5ytdl-org/youtube-dlnightly2024-07-03+1

🔴Vulnerability Details

3
OSV
yt-dlp File system modification and RCE through improper file-extension sanitization2024-07-02
GHSA
yt-dlp File system modification and RCE through improper file-extension sanitization2024-07-02
OSV
CVE-2024-38519: `yt-dlp` and `youtube-dl` are command-line audio/video downloaders2024-07-02

📋Vendor Advisories

1
Debian
CVE-2024-38519: youtube-dl - `yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the...2024