Applio Voice Conversion Tool Arbitrary File Write Vulnerability in Train.py

A vulnerability allowing arbitrary file writes has been identified in the Applio voice conversion tool, specifically in versions through 3.2.8-bugfix. The issue arises in 'train.py', where user-supplied input can be used to write files to the server. This vulnerability can be exploited in conjunction with an unsafe deserialization flaw to achieve remote code execution on the Applio server.

Impact

Exploitation of this vulnerability can lead to arbitrary file writes on the Applio server. If combined with the identified unsafe deserialization vulnerabilities, it could result in remote code execution on the server.

Reproduction

The vulnerability can be reproduced by uploading files through the 'bin_file_upload' and 'config_file_upload' inputs, while specifying a folder name in 'folder_name_input'. The uploaded files are then copied to a location on the server without proper validation, allowing for arbitrary file writes.