Kohya_ss Vulnerable to Command Injection in `group_images_gui.py`
CVE-2024-32025

9.1CRITICAL

Key Information:

Vendor

Bmaltais

Status
Kohya Ss
Vendor
CVE Published:
16 April 2024

What is CVE-2024-32025?

The Kohya_ss GUI, which serves as an interface for Kohya's Stable Diffusion trainers, is affected by a command injection vulnerability located in the 'group_images_gui.py' module. This vulnerability allows an attacker to execute arbitrary commands on the server, potentially compromising the system's integrity. Affected users are encouraged to upgrade to version 23.1.5, where this security issue has been addressed. The vulnerability poses significant risks to users who may inadvertently expose their systems to malicious actors.

Affected Version(s)

kohya_ss >= 22.6.1, < 23.1.5

References

https://github.com/bmaltais/kohya_ss/security/advisories/...
x_refsource_CONFIRM
https://github.com/bmaltais/kohya_ss/commit/831af8babeb75...
x_refsource_MISC
https://securitylab.github.com/advisories/GHSL-2024-019_G...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.