CVE-2022-0692
Published: 21 February 2022
Summary
CVE-2022-0692 is a medium-severity Open Redirect (CWE-601) vulnerability in Alltube Project Alltube. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-0692 is an open redirect vulnerability (CWE-601) affecting the Rudloff/alltube package on Packagist in versions prior to 3.0.1. The flaw carries a CVSS 3.1 score of 6.1 with a network attack vector, low complexity, no required privileges, and required user interaction, allowing redirection to an arbitrary destination under the application's origin.
An unauthenticated remote attacker can supply a crafted URL that passes through alltube's redirect logic. When a victim follows the link, the browser is sent to an attacker-chosen site, enabling phishing or further client-side attacks while preserving the appearance of legitimacy from the original domain.
The referenced GitHub commit bc14b6e45c766c05757fb607ef8d444cbbfba71a and the associated huntr.dev report document the fix that was merged to produce release 3.0.1; applying that update removes the open redirect path.
EPSS for the CVE has remained flat at 0.2083 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1077
Vulnerability details
Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.