Retrieval-Based Voice Conversion WebUI Command Injection Vulnerability

A command injection vulnerability has been identified in Retrieval-Based Voice Conversion WebUI, a voice-changing framework based on VITS. This vulnerability affects versions through 2.2.231006. The issue arises in the 'infer-web.py' file, where user input is improperly sanitized before being passed to command execution functions. This flaw allows for arbitrary command execution on the server.

Impact

Exploitation of this vulnerability could lead to arbitrary command execution on the server.

Reproduction

The vulnerability can be reproduced by providing crafted input that includes command injection payloads into the 'exp_dir1', 'np7', 'trainset_dir4', and 'sr2' variables. This input is then passed to the 'preprocess_dataset' and 'extract_f0_feature' functions, where it is concatenated into a command and executed on the server. Additionally, the 'click_train' function exhibits the same vulnerability by allowing user input to be injected into commands executed on the server. This can be done by entering malicious payloads into the relevant input fields when using the application.