CVE-2024-38519

`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed. `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o "%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.
Configurations

No configuration.

History

21 Nov 2024, 09:26

Type Values Removed Values Added
References () https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq - () https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq -
References () https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a - () https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a -
References () https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01 - () https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01 -
References () https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j - () https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j -
References () https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec - () https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec -
References () https://github.com/ytdl-org/youtube-dl/pull/32830 - () https://github.com/ytdl-org/youtube-dl/pull/32830 -
References () https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/ - () https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/ -
References () https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp - () https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp -

04 Jul 2024, 00:15

Type Values Removed Values Added
References
  • () https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq -
  • () https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec -
  • () https://github.com/ytdl-org/youtube-dl/pull/32830 -
  • () https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/ -
CWE CWE-434 CWE-669
Summary
  • (es) `yt-dlp` es un descargador de audio/vídeo de línea de comandos. Antes de la versión 2024.07.01, `yt-dlp` no limita las extensiones de los archivos descargados, lo que podría provocar la creación de nombres de archivos arbitrarios en la carpeta de descarga (y el path traversal en Windows). Dado que `yt-dlp` también lee la configuración del directorio de trabajo (y en Windows los ejecutables se ejecutarán desde el directorio yt-dlp), esto podría provocar la ejecución de código arbitrario. La versión 2024.07.01 de `yt-dlp` soluciona este problema al incluir en la lista blanca las extensiones permitidas. Esto podría significar que algunas extensiones muy poco comunes podrían no descargarse, sin embargo, también limitará la posible superficie de explotación. Además de actualizar, coloque `.%(ext)s` al final de la plantilla de salida y asegúrese de que el usuario confíe en los sitios web desde los que realiza la descarga. Además, asegúrese de nunca descargar a un directorio dentro de PATH u otras ubicaciones confidenciales como el directorio de usuario, `system32` u otras ubicaciones de archivos binarios. Para los usuarios que no pueden actualizar, mantenga la plantilla de salida predeterminada (`-o "%(title)s [%(id)s].%(ext)s`); asegúrese de que la extensión del medio a descargar sea uno común de video/audio/sub/... trate de evitar el extractor genérico y/o use `--ignore-config --config-location...` para no cargar la configuración desde ubicaciones comunes.
Summary (en) `yt-dlp` is a command-line audio/video downloader. Prior to version 2024.07.01, `yt-dlp` does not limit the extensions of downloaded files, which could lead to aribitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` also reads config from the working directory (and on Windows executables will be executed from the yt-dlp directory) this could lead to arbitrary code being executed. `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o "%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations. (en) `yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed. `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o "%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.

02 Jul 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-02 14:15

Updated : 2024-11-21 09:26


NVD link : CVE-2024-38519

Mitre link : CVE-2024-38519

CVE.ORG link : CVE-2024-38519


JSON object : View

Products Affected

No product.

CWE
CWE-669

Incorrect Resource Transfer Between Spheres