Lucene search
PRIOn knowledge basePRION:CVE-2023-46121HistoryNov 15, 2023 - 12:15 a.m.
Design/Logic Flaw
2023-11-1500:15:00
PRIOn knowledge base
www.prio-n.com
1
design logic flaw
mitm attack
cookie exfiltration
vulnerability
arbitrary proxy
http session
security update
upgrade required
trusted sites
no-check-certificate
yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp’s HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle http_headers to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using --no-check-certificate.
| CPE | Name | Operator | Version |
|---|---|---|---|
| yt-dlp | ge | 2022.10.04 | |
| yt-dlp | lt | 2023.11.14 |
Related
alpinelinux
alpinelinux
CVE-2023-46121
2023-11-15 00:15:09
github
github
yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
2023-11-15 14:48:24
cve
cve
CVE-2023-46121
2023-11-15 00:15:09
debiancve
debiancve
CVE-2023-46121
2023-11-15 00:15:09
osv
osv
yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
2023-11-15 14:48:24
CVE-2023-46121
2023-11-15 00:15:09
cvelist
cvelist
CVE-2023-46121 Generic Extractor MITM Vulnerability in yt-dlp
2023-11-14 23:31:55
veracode
veracode
HTTP Request Smuggling
2023-11-15 08:35:11
nvd
nvd
CVE-2023-46121
2023-11-15 00:15:09
ubuntucve
ubuntucve
CVE-2023-46121
2023-11-15 00:00:00
nessus
nessus
openSUSE 15 Security Update : yt-dlp (openSUSE-SU-2023:0374-1)
2023-11-19 00:00:00
openvas
openvas
openSUSE: Security Advisory for yt (openSUSE-SU-2023:0374-1)
2024-03-04 00:00:00