Home » Database

AVID-2026-R1469

Description

Kohya_ss is vulnerable to a command injection in basic_caption_gui.py (GHSL-2024-019) (CVE-2024-32022)

Details

Kohya_ss is a GUI for Kohya’s Stable Diffusion trainers. Kohya_ss is vulnerable to command injection in basic_caption_gui.py. This vulnerability is fixed in 23.1.5.

Reason for inclusion in AVID: CVE-2024-32022 reports a command injection vulnerability in Kohya_ss, a GUI tool used for training Stable Diffusion models. This is a software flaw in a component commonly used in AI model development/stack; it impacts the AI software supply chain (training tool, dependencies). The vulnerability is security-related (RCE). Evidence: CVE entry and advisories.

References

Affected or Relevant Artifacts

  • Developer: bmaltais
  • Deployer: bmaltais
  • Artifact Details:
TypeName
Systemkohya_ss

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score9.1
Base Severity🔴 Critical
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability ImpactNONE

CWE

IDDescription
CWE-77CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-04-16
  • Version: 0.3.3
  • AVID Entry