GHSA-75P7-527P-W8WP

Vulnerability from github – Published: 2022-03-09 15:17 – Updated: 2022-03-09 20:13
VLAI
Summary
Server-Side Request Forgery and Open Redirect in AllTube Download
Details

Impact

On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured).

The impact is mitigated by the fact the SSRF attack is only possible when the stream option is enabled in the configuration. (This option is disabled by default.)

Patches

3.0.3 contains a fix for this vulnerability. (The 1.x and 2.x releases are not maintained anymore.)

The fix requires applying a patch to youtube-dl to disable its generic extractor. If you are using the version of youtube-dl bundled with 3.0.3, it is already patched. However, if you are using your own unpatched version of youtube-dl you might still be vulnerable.

References

  • https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a
  • https://github.com/ytdl-org/youtube-dl/issues/30691
Severity
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "rudloff/alltube"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-09T15:17:31Z",
    "nvd_published_at": "2022-03-08T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nOn releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured).\n\nThe impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.)\n\n### Patches\n\n3.0.3 contains a fix for this vulnerability.\n(The 1.x and 2.x releases are not maintained anymore.)\n\nThe fix requires applying [a patch](https://github.com/Rudloff/alltube/blob/3d092891044f2685ed66c73c870a021bee319c37/patches/youtube-dl-disable-generic.diff) to youtube-dl to disable its generic extractor. If you are using the version of youtube-dl bundled with 3.0.3, it is already patched.\nHowever, if you are using your own unpatched version of youtube-dl **you might still be vulnerable**.\n\n### References\n\n* https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a\n* https://github.com/ytdl-org/youtube-dl/issues/30691\n",
  "id": "GHSA-75p7-527p-w8wp",
  "modified": "2022-03-09T20:13:46Z",
  "published": "2022-03-09T15:17:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24739"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ytdl-org/youtube-dl/issues/30691"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Rudloff/alltube/commit/3a4f09dda0a466662a4e52cde674749e0c668e8d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba71a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/rudloff/alltube/CVE-2022-24739.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Rudloff/alltube"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Rudloff/alltube/releases/tag/3.0.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server-Side Request Forgery and Open Redirect in AllTube Download"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.