CVE-2022-24739

moderate-risk

Published 2022-03-08

alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability.

Do I need to act?

0.25% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.3/10 High

NETWORK / LOW complexity

Affected Products (1)

Alltube

Affected Vendors

Alltube Project

References (8)

Patch https://github.com/Rudloff/alltube/commit/3a4f09dda0a466662a4e52cde674749e0c668e...

Patch https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f7349...

Patch https://github.com/Rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba7...

Patch https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp

Patch https://github.com/Rudloff/alltube/commit/3a4f09dda0a466662a4e52cde674749e0c668e...

Patch https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f7349...

Patch https://github.com/Rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba7...

Patch https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal