|
[Japanese]
|
JVNDB-2024-000052
|
Multiple vulnerabilities in UTAU
|
|
UTAU provided by ameya/ayame contains multiple vulnerabilities listed below.
- OS command injection (CWE-78) - CVE-2024-28886
- Path Traversal (CWE-22) - CVE-2024-32944
Yu Ishibashi reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2024-28886
|
CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-32944
|
|
|
ameya/ayame
- UTAU versions prior to v0.4.19
|
|
|
If a user of the product opens a crafted UTAU project file (.ust file), an arbitrary OS command may be executed (CVE-2024-28886)
If a user of the product installs a crafted UTAU voicebank installer (.uar file, .zip file) to UTAU, an arbitrary file may be placed (CVE-2024-32944)
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
|
|
ameya/ayame
|
|
- Path Traversal(CWE-22) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
|
|
- CVE-2024-28886
- CVE-2024-32944
|
|
- JVN : JVN#71404925
|
|
- [2024/05/28]
Web page was published
|
