2249769 – (CVE-2023-46121) CVE-2023-46121 yt-dlp: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

Bug 2249769 (CVE-2023-46121) - CVE-2023-46121 yt-dlp: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

Summary: CVE-2023-46121 yt-dlp: Generic Extractor MITM Vulnerability via Arbitrary Pro...

Keywords:
Status:	NEW
Alias:	CVE-2023-46121
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2249770
Blocks:
TreeView+	depends on / blocked

Reported:	2023-11-15 09:12 UTC by ybuenos
Modified:	2023-11-15 09:13 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description ybuenos 2023-11-15 09:12:56 UTC

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

Comment 1 ybuenos 2023-11-15 09:13:10 UTC

Created yt-dlp tracking bugs for this issue:

Affects: fedora-all [bug 2249770]

Note You need to log in before you can comment on or make changes to this bug.