Published:2024/05/28  Last Updated:2024/05/28

JVN#71404925
Multiple vulnerabilities in UTAU

Overview

UTAU provided by ameya/ayame contains multiple vulnerabilities.

Products Affected

  • UTAU versions prior to v0.4.19

Description

UTAU provided by ameya/ayame contains multiple vulnerabilities listed below.

  • OS command injection (CWE-78)
    • CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Base Score 5.3
    • CVE-2024-28886
  • Path Traversal (CWE-22)
    • CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 3.3
    • CVE-2024-32944

Impact

  • If a user of the product opens a crafted UTAU project file (.ust file), an arbitrary OS command may be executed (CVE-2024-28886)
  • If a user of the product installs a crafted UTAU voicebank installer (.uar file, .zip file) to UTAU, an arbitrary file may be placed (CVE-2024-32944)

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
ameya/ayame Singing voice synthesis tool UTAU download page (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Yu Ishibashi reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-28886
CVE-2024-32944
JVN iPedia JVNDB-2024-000052