Bug 1217153 (CVE-2023-46121) - VUL-0: CVE-2023-46121: yt-dlp: MITM from yt-dlp's HTTP session
Summary: VUL-0: CVE-2023-46121: yt-dlp: MITM from yt-dlp's HTTP session
Status: RESOLVED FIXED
Alias: CVE-2023-46121
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/385245/
Whiteboard:
Keywords:
Depends on:
Blocks: 1225537
  Show dependency treegraph
 
Reported: 2023-11-15 08:34 UTC by SMASH SMASH
Modified: 2024-05-29 11:17 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-11-15 08:34:23 UTC 
yt-dlp is a youtube-dl fork with additional features and fixes. The Generic
Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for
a request to an arbitrary url, allowing the attacker to MITM the request made
from yt-dlp's HTTP session. This could lead to cookie exfiltration in some
cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the
Generic extractor, as well as other extractors that use the same pattern. Users
are advised to upgrade. Users unable to upgrade should disable the Ggneric
extractor (or only pass trusted sites with trusted content) and ake caution when
using `--no-check-certificate`.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46121
Comment 1 Thomas Leroy 2023-11-15 08:38:27 UTC 
Relevant for Factory and Backports
Comment 2 Andreas Stieger 2024-05-28 21:42:34 UTC 
Missing in Leap 15.6. Please process incoming submission or fix in Leap 15.6 in your chosen way. (bug 1225537)
Comment 3 Andreas Stieger 2024-05-29 11:17:00 UTC 
As per bug 1225537 now also fixed in Leap 15.6, closing