Coordinated Disclosure Timeline
- 2024-02-08: Sent the report to the maintainer’s email.
- 2024-03-11: Sent a follow up email.
- 2024-04-08: Created a discussion post asking for a contact person.
- 2024-04-08: Fix is created for the dev branch and as a release candidate. The maintainer asks for Security Lab to request a CVE themselves.
- 2024-04-09: CVE-2024-31462 is assigned.
Summary
Stable-diffusion-webui 1.7.0 is vulnerable to a limited file write affecting Windows systems.
Project
stable-diffusion-webui
Tested Version
Details
Limited file write in modules/ui_extensions.py (GHSL-2024-010)
The create_ui method (Backup/Restore tab) in modules/ui_extensions.py takes user input into the config_save_name variable on line 653. This user input is later used in the save_config_state method and used to create a file path on line 65, which is afterwards opened for writing on line 67, which leads to a limited file write exploitable on Windows systems.
def save_config_state(name):
current_config_state = config_states.get_config()
if not name:
name = "Config"
current_config_state["name"] = name
timestamp = datetime.now().strftime('%Y_%m_%d-%H_%M_%S')
filename = os.path.join(config_states_dir, f"{timestamp}_{name}.json")
print(f"Saving backup of webui/extension state to {filename}.")
with open(filename, "w", encoding="utf-8") as f:
json.dump(current_config_state, f, indent=4, ensure_ascii=False)
This issue was found with the help of CodeQL.
Impact
This issue may lead to limited file write. It allows for writing json files anywhere on the server.
CVE
- CVE-2024-31462
Credit
This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska). The vulnerability was found with the help of CodeQL’s path injection query and additional modeling.
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-010 in any communication regarding this issue.