Applio Voice Conversion Tool Arbitrary File Read Vulnerability

A vulnerability allowing arbitrary file read has been identified in Applio, a voice conversion tool, in versions through 3.2.8-bugfix. The issue arises in the 'export_index' function of 'train.py', where user input is not properly validated, allowing access to arbitrary files on the Applio server. This vulnerability can be exploited in conjunction with blind server-side request forgery (SSRF) to read files from internal network servers accessible to the Applio server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the Applio server. When combined with blind SSRF, it could facilitate reading files from internal network servers that the Applio server can access.

Reproduction

The vulnerability can be reproduced by using the 'export_index' function in 'train.py', which is part of the Applio voice conversion tool. This function can be accessed through the application's user interface or by sending a request that includes arbitrary file paths. The lack of restrictions on the file paths allows for the reading of any file on the server.