CVE-2023-35934

CVSS 3.1 Score 8.2 of 10 (high)

Details

Published Jul 6, 2023
Updated: Aug 25, 2023
CWE ID 601
CWE ID 200

Summary

The vulnerability with the CVE ID CVE-2023-35934 affects yt-dlp, a command-line program used for downloading videos from video sites. It is present in versions prior to 2023.07.06 and nightly 2023.07.06.185519. This vulnerability allows cookies to be leaked during file downloads on HTTP redirects to a different host or when the host for download fragments differs from their parent manifest's host. All native and external downloaders are affected except for 'curl' and 'httpie' (version 3.1.0 or later). The cookies are passed as a 'Cookie' header at the file download stage, losing their scope and causing potential indiscriminate sending of cookies with requests to domains or paths for which they are not scoped. The issue is fixed in yt-dlp versions 2023.07.06 and nightly 2023.07.06.185519 by removing the 'Cookie' header upon HTTP redirects. This vulnerability poses a potential danger to organizations as it can lead to information exposure and compromise the confidentiality of sensitive data. (Note: The information above is a summary of the provided text and does not represent an actual vulnerability in any product.)

Leverage our Vulnerability Intelligence module to secure your systems now - get detailed insights on CVE-2024-37364. Book your demo today.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-35934 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options