Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NXA3LTUyN3Atdzh3cM0w2w
Server-Side Request Forgery and Open Redirect in AllTube Download
Impact
On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured).
The impact is mitigated by the fact the SSRF attack is only possible when the stream option is enabled in the configuration. (This option is disabled by default.)
Patches
3.0.3 contains a fix for this vulnerability.
(The 1.x and 2.x releases are not maintained anymore.)
The fix requires applying a patch to youtube-dl to disable its generic extractor. If you are using the version of youtube-dl bundled with 3.0.3, it is already patched.
However, if you are using your own unpatched version of youtube-dl you might still be vulnerable.
References
- https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a
- https://github.com/ytdl-org/youtube-dl/issues/30691
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NXA3LTUyN3Atdzh3cM0w2w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 10 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-75p7-527p-w8wp, CVE-2022-24739
References:
- https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp
- https://nvd.nist.gov/vuln/detail/CVE-2022-24739
- https://github.com/ytdl-org/youtube-dl/issues/30691
- https://github.com/Rudloff/alltube/commit/3a4f09dda0a466662a4e52cde674749e0c668e8d
- https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a
- https://github.com/Rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba71a
- https://github.com/Rudloff/alltube/releases/tag/3.0.3
- https://github.com/FriendsOfPHP/security-advisories/blob/master/rudloff/alltube/CVE-2022-24739.yaml
- https://github.com/advisories/GHSA-75p7-527p-w8wp
Blast Radius: 1.0
Affected Packages
packagist:rudloff/alltube
Dependent packages: 0Dependent repositories: 0
Downloads: 966 total
Affected Version Ranges: < 3.0.3
Fixed in: 3.0.3
All affected versions: 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 3.0.0, 3.0.1, 3.0.2
All unaffected versions: 3.0.3, 3.1.0, 3.1.1