Unauthenticated users can obtain the caption of private videos
1: First, create a private video and upload a caption
2: As an unauthenticated user, logout and visit the
/api/v1/videos/1/captions
3: The response should return a lazy-static URL
{"total":1,"data":[{"language":{"id":"ase","label":"American Sign Language"},"captionPath":"/lazy-static/video-captions/62569eec-cdf5-4582-9cb0-af07d20d900c-ase.vtt"}]}
4: Visit the lazy-static URL and see you can access captions while unauthenticated.
This vulnerability is capable of disclosure of captions of private videos to unauthenticated users.