Retrieval-Based Voice Conversion WebUI Command Injection Vulnerability

A command injection vulnerability has been identified in Retrieval-Based Voice Conversion WebUI, specifically in versions through 2.2.231006. The issue arises in the 'infer-web.py' file, where user input from several variables is improperly sanitized before being passed to a function that executes commands on the server. This flaw allows for arbitrary command execution.

Impact

Exploitation of this vulnerability could lead to arbitrary command execution on the server where the application is running.

Reproduction

The vulnerability can be reproduced by inputting crafted data into the 'exp_dir1', 'np7', 'trainset_dir4', and 'sr2' variables. This can be done through the application's user interface or by modifying the source code to include the malicious input. Once the input is provided, the 'preprocess_dataset' function is called, which concatenates the user input into a command that is executed on the server. This process can be repeated with the 'extract_f0_feature', 'click_train', and other functions that exhibit similar command injection vulnerabilities.