SCA: security update for yt-dlp (GHSA-79w7-vh3h-8g4j)

high Tenable Self-Hosted Container Security Plugin ID 411979

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- `yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp`
and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames
being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also
read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or
`youtube-dl` directory), this could lead to arbitrary code being executed. `yt-dlp` version 2024.07.01
fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222`
on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very
uncommon extensions might not get downloaded, however it will also limit the possible exploitation
surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the
user trusts the websites that they are downloading from. Also, make sure to never download to a directory
within PATH or other sensitive locations like one's user directory, `system32`, or other binaries
locations. For users who are not able to upgrade, keep the default output template (`-o "%(title)s
[%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one;
try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config
from common locations. (CVE-2024-38519)

See Also

https://github.com/advisories/GHSA-79w7-vh3h-8g4j

Plugin Details

Severity: High

ID: 411979

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.53

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-38519

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/2/2024

Vulnerability Publication Date: 7/2/2024

Reference Information

CVE: CVE-2024-38519