{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38519", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-18T16:37:02.728Z", "datePublished": "2024-07-02T13:47:36.399Z", "dateUpdated": "2024-08-02T04:12:25.618Z"}, "containers": {"cna": {"affected": [{"product": "yt-dlp", "vendor": "yt-dlp", "versions": [{"lessThan": "2024.07.01", "status": "affected", "versionType": "date", "version": "< 2024.07.01"}]}, {"defaultStatus": "unaffected", "product": "youtube-dl", "repo": "https://github.com/ytdl-org/youtube-dl", "vendor": "ytdl-org", "versions": [{"lessThanOrEqual": "2021.12.17", "status": "affected", "version": ">= 2015.01.25", "versionType": "date"}, {"changes": [{"at": "d42a222", "status": "unaffected"}], "lessThan": "2024-07-03", "status": "affected", "version": "nightly", "versionType": "date"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions,&nbsp;`yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed.</p><p><br></p><p>`yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o \"%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.</p>"}], "value": "`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions,\u00a0`yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed.\n\n\n\n\n`yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o \"%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-03T23:32:13.285Z"}, "references": [{"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j"}, {"name": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a", "tags": ["x_refsource_MISC"], "url": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a"}, {"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01", "tags": ["x_refsource_MISC"], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01"}, {"name": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq"}, {"tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ytdl-org/youtube-dl/pull/32830"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec"}], "source": {"advisory": "GHSA-79w7-vh3h-8g4j", "discovery": "UNKNOWN"}, "title": "yt-dlp and youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization"}, "adp": [{"affected": [{"vendor": "yt-dlp_project", "product": "yt-dlp", "cpes": ["cpe:2.3:a:yt-dlp_project:yt-dlp:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2024.07.01", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-02T15:17:37.665466Z", "id": "CVE-2024-38519", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T18:21:58.650Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:12:25.618Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j"}, {"name": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a"}, {"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01"}, {"name": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ytdl-org/youtube-dl/pull/32830"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j", "name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a", "name": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01", "name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp", "name": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/ytdl-org/youtube-dl/pull/32830", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:12:25.618Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38519", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-02T15:17:37.665466Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:yt-dlp_project:yt-dlp:-:*:*:*:*:*:*:*"], "vendor": "yt-dlp_project", "product": "yt-dlp", "versions": [{"status": "affected", "version": "0", "lessThan": "2024.07.01", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T15:23:28.403Z"}}], "cna": {"title": "yt-dlp and youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization", "source": {"advisory": "GHSA-79w7-vh3h-8g4j", "discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "yt-dlp", "product": "yt-dlp", "versions": [{"status": "affected", "version": "< 2024.07.01", "lessThan": "2024.07.01", "versionType": "date"}]}, {"repo": "https://github.com/ytdl-org/youtube-dl", "vendor": "ytdl-org", "product": "youtube-dl", "versions": [{"status": "affected", "version": ">= 2015.01.25", "versionType": "date", "lessThanOrEqual": "2021.12.17"}, {"status": "affected", "changes": [{"at": "d42a222", "status": "unaffected"}], "version": "nightly", "lessThan": "2024-07-03", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j", "name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a", "name": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01", "name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01", "tags": ["x_refsource_MISC"]}, {"url": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp", "name": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq", "tags": ["x_refsource_MISC"]}, {"url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ytdl-org/youtube-dl/pull/32830", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions,\u00a0`yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed.\n\n\n\n\n`yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o \"%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.", "supportingMedia": [{"type": "text/html", "value": "<p>`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions,&nbsp;`yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed.</p><p><br></p><p>`yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o \"%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-03T23:32:13.285Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38519", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:12:25.618Z", "dateReserved": "2024-06-18T16:37:02.728Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-02T13:47:36.399Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions,\u00a0`yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed.\n\n\n\n\n`yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o \"%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations."}, {"lang": "es", "value": "`yt-dlp` es un descargador de audio/v\u00eddeo de l\u00ednea de comandos. Antes de la versi\u00f3n 2024.07.01, `yt-dlp` no limita las extensiones de los archivos descargados, lo que podr\u00eda provocar la creaci\u00f3n de nombres de archivos arbitrarios en la carpeta de descarga (y el path traversal en Windows). Dado que `yt-dlp` tambi\u00e9n lee la configuraci\u00f3n del directorio de trabajo (y en Windows los ejecutables se ejecutar\u00e1n desde el directorio yt-dlp), esto podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. La versi\u00f3n 2024.07.01 de `yt-dlp` soluciona este problema al incluir en la lista blanca las extensiones permitidas. Esto podr\u00eda significar que algunas extensiones muy poco comunes podr\u00edan no descargarse, sin embargo, tambi\u00e9n limitar\u00e1 la posible superficie de explotaci\u00f3n. Adem\u00e1s de actualizar, coloque `.%(ext)s` al final de la plantilla de salida y aseg\u00farese de que el usuario conf\u00ede en los sitios web desde los que realiza la descarga. Adem\u00e1s, aseg\u00farese de nunca descargar a un directorio dentro de PATH u otras ubicaciones confidenciales como el directorio de usuario, `system32` u otras ubicaciones de archivos binarios. Para los usuarios que no pueden actualizar, mantenga la plantilla de salida predeterminada (`-o \"%(title)s [%(id)s].%(ext)s`); aseg\u00farese de que la extensi\u00f3n del medio a descargar sea uno com\u00fan de video/audio/sub/... trate de evitar el extractor gen\u00e9rico y/o use `--ignore-config --config-location...` para no cargar la configuraci\u00f3n desde ubicaciones comunes."}], "id": "CVE-2024-38519", "lastModified": "2024-07-04T00:15:01.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-02T14:15:13.737", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq"}, {"source": "security-advisories@github.com", "url": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a"}, {"source": "security-advisories@github.com", "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01"}, {"source": "security-advisories@github.com", "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j"}, {"source": "security-advisories@github.com", "url": "https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec"}, {"source": "security-advisories@github.com", "url": "https://github.com/ytdl-org/youtube-dl/pull/32830"}, {"source": "security-advisories@github.com", "url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/"}, {"source": "security-advisories@github.com", "url": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}