{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3d092891044f2685ed66c73c870a021bee319c37" } ], "repo": "https://github.com/rudloff/alltube", "type": "GIT" } ] } ], "aliases": [ "GHSA-75p7-527p-w8wp" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-601", "CWE-918" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24739.json" }, "details": "alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability.", "id": "CVE-2022-24739", "modified": "2026-04-01T23:09:31.756754873Z", "published": "2022-03-08T21:40:10Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24739.json" }, { "type": "ADVISORY", "url": "https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24739" }, { "type": "FIX", "url": "https://github.com/Rudloff/alltube/commit/3a4f09dda0a466662a4e52cde674749e0c668e8d" }, { "type": "FIX", "url": "https://github.com/Rudloff/alltube/commit/8913f27716400dabf4906a5ad690a5238f73496a" }, { "type": "FIX", "url": "https://github.com/Rudloff/alltube/commit/bc14b6e45c766c05757fb607ef8d444cbbfba71a" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "type": "CVSS_V3" } ], "summary": "Server-Side Request Forgery (SSRF) and URL Redirection to Untrusted Site ('Open Redirect') in alltube" }