Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:apk/alpine/yt-dlp@2023.07.06-r0?arch=aarch64&distroversion=v3.19&reponame=community

Type apk

Namespace alpine

Name yt-dlp

Version 2023.07.06-r0

Qualifiers

arch	aarch64
distroversion	v3.19
reponame	community

Subpath

Is_vulnerable false

Next_non_vulnerable_version 2023.11.14-r0

Latest_non_vulnerable_version 2023.11.14-r0

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-2991-xam1-9udt

vulnerability_id VCID-2991-xam1-9udt

summary

URL Redirection to Untrusted Site ('Open Redirect')
yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).

At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.

yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders' built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping

Some workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-35934

reference_id

reference_type

scores

value	0.00689
scoring_system	epss
scoring_elements	0.72105
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-35934

reference_url

https://github.com/yt-dlp/yt-dlp

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/yt-dlp/yt-dlp

reference_url

https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729

reference_url

https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07

reference_url

https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641

reference_url

https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519

reference_url

https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040595
reference_id	1040595
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040595

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079502
reference_id	1079502
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079502

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-35934

reference_id

CVE-2023-35934

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-35934

reference_url

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj

reference_id

GHSA-v8mc-9377-rwjj

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj

reference_url	https://security.gentoo.org/glsa/202409-30
reference_id	GLSA-202409-30
reference_type
scores
url	https://security.gentoo.org/glsa/202409-30

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/

reference_id

HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/

reference_id

M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/

fixed_packages

url	pkg:apk/alpine/yt-dlp@2023.07.06-r0?arch=aarch64&distroversion=v3.19&reponame=community
purl	pkg:apk/alpine/yt-dlp@2023.07.06-r0?arch=aarch64&distroversion=v3.19&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/yt-dlp@2023.07.06-r0%3Farch=aarch64&distroversion=v3.19&reponame=community

aliases CVE-2023-35934, GHSA-v8mc-9377-rwjj

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2991-xam1-9udt

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/yt-dlp@2023.07.06-r0%3Farch=aarch64&distroversion=v3.19&reponame=community

Package Instance