222 matches found
CVE-2024-11042
In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite...
CVE-2024-11043
A Denial of Service DoS vulnerability was discovered in the /api/v1/boards/boardid endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the boardname field during a PATCH request. By sending a large payload, the UI becomes...
CVE-2024-10821
A Denial of Service DoS vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server version v5.0.1 allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries...
CVE-2024-11043 Denial of Service (DoS) via Large Payload in Board Name Field in invoke-ai/invokeai
A Denial of Service DoS vulnerability was discovered in the /api/v1/boards/boardid endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the boardname field during a PATCH request. By sending a large payload, the UI becomes...
CVE-2024-11043 Denial of Service (DoS) via Large Payload in Board Name Field in invoke-ai/invokeai
A Denial of Service DoS vulnerability was discovered in the /api/v1/boards/boardid endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the boardname field during a PATCH request. By sending a large payload, the UI becomes...
CVE-2024-11043
The CVE-2024-11043 DoS affects the InvokeAI project (version v5.0.2) via the /api/v1/boards/{board_id} PATCH endpoint when an excessively large board_name payload is sent, causing the UI to become unresponsive and blocking board deletion. This is triggered by crafting a large payload in the board...
CVE-2024-10821 Denial of Service (DoS) in invoke-ai/invokeai
A Denial of Service DoS vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server version v5.0.1 allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries...
CVE-2024-10821
CVE-2024-10821 affects the InvokeAI server (version v5.0.1). The vulnerability lies in the multipart request boundary handling, where appending excessive characters to the end of boundaries can cause an infinite loop and exhaust CPU/memory, leading to DoS on the endpoint /api/v1/images/upload . A...
CVE-2024-10821 Denial of Service (DoS) in invoke-ai/invokeai
A Denial of Service DoS vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server version v5.0.1 allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries...
CVE-2024-11042
CVE-2024-11042 affects invoke-ai/invokeai v5.0.2. The web API endpoint POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion , enabling an attacker to delete arbitrary server files (e.g., SSH keys, SQLite databases, configuration files), potentially compromising integrity and availa...
CVE-2024-11042 Arbitrary File Delete in invoke-ai/invokeai
In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite...
CVE-2024-11042 Arbitrary File Delete in invoke-ai/invokeai
In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite...
CVE-2024-12029 Remote Code Execution via Model Deserialization in invoke-ai/invokeai
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious cod...
CVE-2024-12029
Summary: CVE-2024-12029 affects invoke-ai/invokeai prior to 5.4.3, via unsafe deserialization in the /api/v2/models/install API, leading to remote code execution when loading model files through torch.load. Affected software: invoke-ai/invokeai, versions 5.3.1 through 5.4.2 (and up to 5.4.2 per s...
Invoke 输入验证错误漏洞
Invoke is a leading creative engine for stabilizing diffusion models open-sourced by InvokeAI. An input validation error vulnerability exists in Invoke version v5.0.2, which stems from an arbitrary file deletion vulnerability in the POST /api/v1/images/delete API...
Invoke 资源管理错误漏洞
Invoke is a leading creative engine for stabilizing diffusion models in InvokeAI open source. A resource management error vulnerability exists in Invoke v5.0.1, which stems from a flaw in the multipart request boundary handling mechanism that allows an unauthenticated user to cause a denial of...
Invoke 安全漏洞
Invoke is a leading creative engine for stabilizing diffusion models open-sourced by InvokeAI. A security vulnerability exists in Invoke version v5.0.2, which stems from a denial of service attack vulnerability in the /api/v1/boards/boardid endpoint...
Invoke 安全漏洞
Invoke is a leading creative engine for stabilizing diffusion models open-sourced by InvokeAI. A security vulnerability exists in Invoke versions 5.3.1 through 5.4.2, which stems from improper deserialization of model files and could lead to remote code execution...
CVE-2024-21469
Memory corruption when an invoke call and a TEE call are bound for the same trusted application...
CVE-2024-21469
Memory corruption when an invoke call and a TEE call are bound for the same trusted application...