CVE-2024-31462

Vulnerability

Overview CVE-2024-31462 affects stable-diffusion-webui version 1.7.0, a popular web interface for Stable Diffusion. The vulnerability is a path traversal flaw in the create_ui method within the Backup/Restore tab (file modules/ui_extensions.py). The application takes user input from the interface and assigns it to the config_save_name variable without sufficient sanitization. This unsanitized input is later used in the save_config_state method to construct a file path, which is then opened for writing JSON content [1][4].

Exploitation

Conditions The issue is exploitable specifically on Windows systems. An attacker must be able to access the Backup/Restore UI tab and provide a crafted config_save_name value that includes path traversal sequences (e.g., ..\\ or absolute paths). No authentication is required if the web interface is exposed, making it a server-side request forgery (SSRF) or arbitrary write scenario from the perspective of the web server's file system permissions [2][3].

Impact

Successful exploitation allows an attacker to write arbitrary JSON files to any location on the server where the web server process has write access. While limited to the JSON format, this can be leveraged to overwrite configuration files (like config.json) or inject malicious settings into extension files, potentially leading to further compromise such as remote code execution via crafted UI extensions [1].

Mitigation and

Status As of the publication date (April 12, 2024), no patch has been released by the project maintainers. Users running stable-diffusion-webui on Windows should restrict access to the web interface to trusted networks and monitor for updates from the official repository. The vulnerability has been reported, and the maintainers have acknowledged the issue [1].