CVE-2024-39686 - OpenCVE

Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the bert_gen function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Fishaudio	Bert-vits2

Configuration 1 [-]

cpe:2.3:a:fishaudio:bert-vits2:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57
https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133
https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-22T15:16:17.258Z

Updated: 2024-08-02T04:26:15.942Z

Reserved: 2024-06-27T18:44:13.035Z

Link: CVE-2024-39686

Vulnrichment

Updated: 2024-07-23T14:29:27.310Z

NVD

Status : Analyzed

Published: 2024-07-22T16:15:03.657

Modified: 2024-09-11T15:37:20.323

Link: CVE-2024-39686

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39686", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-27T18:44:13.035Z", "datePublished": "2024-07-22T15:16:17.258Z", "dateUpdated": "2024-08-02T04:26:15.942Z"}, "containers": {"cna": {"title": "fishaudio/Bert-VITS2 Command Injection in webui_preprocess.py bert_gen function", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/"}, {"name": "https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57", "tags": ["x_refsource_MISC"], "url": "https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57"}, {"name": "https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133", "tags": ["x_refsource_MISC"], "url": "https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133"}], "affected": [{"vendor": "FishAudio", "product": "Bert-VITS2", "versions": [{"version": "<= 2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-22T15:16:17.258Z"}, "descriptions": [{"lang": "en", "value": "Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the bert_gen function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier."}], "source": {"advisory": "GHSA-6rf5-wfmc-v3f9", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "fishaudio", "product": "bert-vits2", "cpes": ["cpe:2.3:a:fishaudio:bert-vits2:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T14:27:29.343758Z", "id": "CVE-2024-39686", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T18:40:52.537Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.942Z"}, "title": "CVE Program Container", "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/"}, {"name": "https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57"}, {"name": "https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39686", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-23T14:27:29.343758Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fishaudio:bert-vits2:*:*:*:*:*:*:*:*"], "vendor": "fishaudio", "product": "bert-vits2", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T14:29:27.310Z"}}], "cna": {"title": "fishaudio/Bert-VITS2 Command Injection in webui_preprocess.py bert_gen function", "source": {"advisory": "GHSA-6rf5-wfmc-v3f9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FishAudio", "product": "Bert-VITS2", "versions": [{"status": "affected", "version": "<= 2.3"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/", "name": "https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57", "name": "https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133", "name": "https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the bert_gen function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-22T15:16:17.258Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39686", "state": "PUBLISHED", "dateUpdated": "2024-07-24T18:40:52.537Z", "dateReserved": "2024-06-27T18:44:13.035Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-22T15:16:17.258Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fishaudio:bert-vits2:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D740611-D9C6-4B34-9FDA-7D8BD5FECF48", "versionEndIncluding": "2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the bert_gen function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier."}, {"lang": "es", "value": " Bert-VITS2 es la columna vertebral de VITS2 con bert multiling\u00fce. La entrada del usuario proporcionada a la variable data_dir se usa directamente en un comando ejecutado con subprocess.run(cmd, shell=True) en la funci\u00f3n bert_gen, lo que conduce a la ejecuci\u00f3n de comandos arbitrarios. Esto afecta a fishaudio/Bert-VITS2 2.3 y versiones anteriores."}], "id": "CVE-2024-39686", "lastModified": "2024-09-11T15:37:20.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-22T16:15:03.657", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}