Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2024-38519

Disclosure Date: July 02, 2024 •

CVE-2024-38519

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to the fixed versions, yt-dlp and youtube-dl do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since yt-dlp and youtube-dl also read config from the working directory (and on Windows executables will be executed from the yt-dlp or youtube-dl directory), this could lead to arbitrary code being executed.

yt-dlp version 2024.07.01 fixes this issue by whitelisting the allowed extensions. youtube-dl fixes this issue in commit d42a222 on the master branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have .%(ext)s at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one’s user directory, system32, or other binaries locations. For users who are not able to upgrade, keep the default output template (-o "%(title)s [%(id)s].%(ext)s); make sure the extension of the media to download is a common video/audio/sub/… one; try to avoid the generic extractor; and/or use --ignore-config --config-location ... to not load config from common locations.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

yt-dlp,
ytdl-org

Products

yt-dlp,
youtube-dl

References

Canonical

CVE-2024-38519 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38519)

Miscellaneous

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j

https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a

https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01

https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp

https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq

https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/

https://github.com/ytdl-org/youtube-dl/pull/32830

https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec

Rapid7

Unknown

CVE-2024-38519

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2024-38519

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-38519

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2024-38519

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification