### [CVE-2024-39688](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39688)
![](https://img.shields.io/static/v1?label=Product&message=Bert-VITS2&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%3D%202.3%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-22%3A%20Improper%20Limitation%20of%20a%20Pathname%20to%20a%20Restricted%20Directory%20('Path%20Traversal')&color=brighgreen)

### Description

Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is concatenated with other folders and used to open a new file in the generate_config function, which leads to a limited file write. The issue allows for writing /config/config.json file in arbitrary directory on the server. If a given directory path doesn’t exist, the application will return an error, so this vulnerability could also be used to gain information about existing directories on the server. This affects fishaudio/Bert-VITS2 2.3 and earlier.

### POC

#### Reference
- https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/

#### Github
No PoCs found on GitHub currently.