Cyber Resilience

CVE-2022-0692

MediumPublic PoC

Published: 21 February 2022

Published
21 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.2083 95.7th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0692 is a medium-severity Open Redirect (CWE-601) vulnerability in Alltube Project Alltube. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-0692 is an open redirect vulnerability (CWE-601) affecting the Rudloff/alltube package on Packagist in versions prior to 3.0.1. The flaw carries a CVSS 3.1 score of 6.1 with a network attack vector, low complexity, no required privileges, and required user interaction, allowing redirection to an arbitrary destination under the application's origin.

An unauthenticated remote attacker can supply a crafted URL that passes through alltube's redirect logic. When a victim follows the link, the browser is sent to an attacker-chosen site, enabling phishing or further client-side attacks while preserving the appearance of legitimacy from the original domain.

The referenced GitHub commit bc14b6e45c766c05757fb607ef8d444cbbfba71a and the associated huntr.dev report document the fix that was merged to produce release 3.0.1; applying that update removes the open redirect path.

EPSS for the CVE has remained flat at 0.2083 with no material post-disclosure increase.

EU & UK References

Vulnerability details

Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

alltube project
alltube
≤ 3.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References