AVID-2026-R1470

Description

Kohya_ss vulnerable to path injection in common_gui.py find_and_replace function (GHSL-2024-024) (CVE-2024-32023)

Details

Kohya_ss is a GUI for Kohya’s Stable Diffusion trainers. Kohya_ss is vulnerable to a path injection in the common_gui.py find_and_replace function. This vulnerability is fixed in 23.1.5.

Reason for inclusion in AVID: CVE-2024-32023 describes a path traversal vulnerability in kohya_ss GUI used for Stable Diffusion trainer workflows. This is a software vulnerability affecting a tool commonly used in AI model training pipelines, i.e., part of the AI software supply chain. It targets a software component (training tooling) rather than hardware/firmware. The CVE, CWE-22, and public advisories provide clear evidence of a security vulnerability within AI-related tooling.

References

• NVD entry
• https://github.com/bmaltais/kohya_ss/security/advisories/GHSA-p945-7qm7-7j53
• https://github.com/bmaltais/kohya_ss/commit/8bc67a7467f8366db1a4b9b3b14525ec763f1650
• https://securitylab.github.com/advisories/GHSL-2024-019_GHSL-2024-024_kohya_ss

Affected or Relevant Artifacts

• Developer: bmaltais
• Deployer: bmaltais
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-04-16
• Version: 0.3.3
• AVID Entry