Kohya_ss Vulnerable to Command Injection in Basic Caption GUI
CVE-2024-32022

9.1CRITICAL

Key Information:

Vendor: Bmaltais
Status: Kohya Ss
Vendor: CVE Published:; 16 April 2024

What is CVE-2024-32022?

A security vulnerability has been identified in Kohya_ss, the graphical user interface for Kohya's Stable Diffusion training models. The vulnerability resides in the basic_caption_gui.py script, where it is susceptible to command injection. This flaw enables malicious actors to execute arbitrary commands on the host system through specific inputs. Users of Kohya_ss are encouraged to upgrade to version 23.1.5 or higher to mitigate potential exploitation of this vulnerability. It is crucial for users to regularly monitor product updates and apply security patches promptly to safeguard their systems.

Affected Version(s)

kohya_ss >= 22.6.1, < 23.1.5

References

https://github.com/bmaltais/kohya_ss/security/advisories/...

x_refsource_CONFIRM

https://github.com/bmaltais/kohya_ss/commit/831af8babeb75...

x_refsource_MISC

https://securitylab.github.com/advisories/GHSL-2024-019_G...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2024
Vulnerability Reserved
Apr 9, 2024

Bmaltais

What is CVE-2024-32022?

Affected Version(s)

References

CVSS V3.1

Timeline