Veracode Vulnerability DatabaseVERACODE:46382OS Command Injection
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.7%
yt-dlp is vulnerable to OS Command Injection. This vulnerability is due to insufficient escaping of special characters, specifically in the expansion of output templates within the --exec option.
References
github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e
github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a
github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11
github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09
github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg
github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p
www.kb.cert.org/vuls/id/123335
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.7%