CVE-2022-24739
HIGH7.3EPSS 0.25%Server-Side Request Forgery and Open Redirect in AllTube Download
Description
### Impact On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) ### Patches 3.0.3 contains a fix for this vulnerability. (The 1.x and 2.x releases are not maintained anymore.) The fix requires applying [a patch](https://github.com/Rudloff/alltube/blob/3d092891044f2685ed66c73c870a021bee319c37/patches/youtube-dl-disable-generic.diff) to youtube-dl to disable its generic extractor. If you are using the version of youtube-dl bundled with 3.0.3, it is already patched. However, if you are using your own unpatched version of youtube-dl **you might still be vulnerable**. ### References * https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a * https://github.com/ytdl-org/youtube-dl/issues/30691
Affected packages (1)
- Packagist/rudloff/alltubefrom 0, < 3.0.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24739
- PATCHhttps://github.com/Rudloff/alltube
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/rudloff/alltube/CVE-2022-24739.yaml
- WEBhttps://github.com/Rudloff/alltube/commit/3a4f09dda0a466662a4e52cde674749e0c668e8d
- WEBhttps://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a
- WEBhttps://github.com/Rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba71a
- WEBhttps://github.com/Rudloff/alltube/releases/tag/3.0.3
- WEBhttps://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp
- WEBhttps://github.com/ytdl-org/youtube-dl/issues/30691