CPE-F853248B-B1C6-4862-ACF3-FC2176175276 Detail

CPE Details

yt-dlp Project yt-dlp 2021.11.10.1

Vendor

yt-dlp_project

Product

yt-dlp

Version

2021.11.10.1

Created

2023-07-12
14h07 +00:00

Modified

2023-07-12
16h30 +00:00

Official links

CPE NVD

Alerte pour un CPE

Stay informed of any changes for a specific CPE.

Notifications manage

List of Notifications

Alerte pour un CPE

Stay informed of any changes for a specific CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

CPE ID

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CPE Name: cpe:2.3:a:yt-dlp_project:yt-dlp:2021.11.10.1:::::::*

Informations

Vendor

yt-dlp_project

Product

yt-dlp

Version

2021.11.10.1

Related CVE

Open and find in CVE List

CVE ID	Published	Description	Score	Severity
CVE-2023-40581	2023-09-25 18h54 +00:00	yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\n` will be replaced by `\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain ", \| or &. 3. Instead of using --exec, write the info json and load the fields from it instead.	8.4	High

yt-dlp Project yt-dlp 2021.11.10.1

CPE Details

CPE Name: cpe:2.3:a:yt-dlp_project:yt-dlp:2021.11.10.1:*:*:*:*:*:*:*

Informations

Vendor

Product

Version

Related CVE

CPE Name: cpe:2.3:a:yt-dlp_project:yt-dlp:2021.11.10.1:::::::*