Workflow

PyPi: Invokeai

CVE-2022-0845

Transitive

Safety vulnerability ID: 63299

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 05, 2022 Updated at Jun 05, 2024
Scan your Python projects for vulnerabilities →

Advisory

Invokeai 2.0.2 updates its dependency, pytorch-lightning, from version 1.4.2 to 1.7.7. This update was prompted by a vulnerability identified as CVE-2022-0845.
https://github.com/invoke-ai/InvokeAI/commit/90d37eac034592cc3aed5a15a98971801b21988e

Affected package

invokeai

Latest version: 4.2.4

An implementation of Stable Diffusion which provides various new features and options to aid the image generation process

Affected versions

Fixed versions

Vulnerability changelog

The invoke-ai team is excited to be able to share the release of InvokeAI 2.0 - A Stable Diffusion Toolkit, a project that aims to provide enthusiasts and professionals both a suite of robust image creation tools. Optimized for efficiency, InvokeAI needs only ~3.5GB of VRAM to generate a 512x768 image (and less for smaller images), and is compatible with Windows/Linux/Mac (M1 & M2).

InvokeAI was one of the earliest forks of the core CompVis repo (formerly lstein/stable-diffusion), and recently evolved into a full-fledged community driven and open source stable diffusion toolkit named *InvokeAI*. Version 2.0.0 of the tool introduces an entirely new WebUI Front-end with a Desktop mode, and an optimized back-end server that can be interacted with via CLI or extended with your own fork.

Release 2.0.2 updates three Python dependencies that were recently reported to have critical security holes, and enhances documentation. Otherwise, the feature set is identical to 2.0.1.

This version of the app improves in-app workflows leveraging GFPGAN and Codeformer for face restoration, and RealESRGAN upscaling - Additionally, the CLI also supports a large variety of features:
- Inpainting
- Outpainting
- Negative Prompts (prompt unconditioning)
- Fast online model switching
- Textual Inversion
- Improved Quality for Hi-Resolution Images (Embiggen, Hi-res Fixes, etc.)
- And more...

Future updates planned included UI driven outpainting/inpainting, robust Cross Attention support, and an advanced node workflow for automating and sharing your workflows with the community.

What's Changed
* hotfix(venv): rename 'ldm' -> 'invokeai' by tildebyte in https://github.com/invoke-ai/InvokeAI/pull/1014
* Fix two broken links in README by Miserlou in https://github.com/invoke-ai/InvokeAI/pull/1026
* fixed old reference to ldm on activate env by nunocoracao in https://github.com/invoke-ai/InvokeAI/pull/1029
* Fix the link to the weights download page by Hkmu in https://github.com/invoke-ai/InvokeAI/pull/1041
* reintroduce fix for m1 from https://github.com/invoke-ai/InvokeAI/pull/579 missing after merge by skurovec in https://github.com/invoke-ai/InvokeAI/pull/1055
* More mkdocs updates by mauwii in https://github.com/invoke-ai/InvokeAI/pull/1057
* Add back old `dream.py` as `legacy_api.py` by CapableWeb in https://github.com/invoke-ai/InvokeAI/pull/1070

New Contributors
* Miserlou made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1026
* nunocoracao made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1029
* Hkmu made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1041

**Full Changelog**: https://github.com/invoke-ai/InvokeAI/compare/v2.0.0...v2.0.1

What's Changed
* update mac instructions to use invokeai for env name by willwillems in https://github.com/invoke-ai/InvokeAI/pull/1030
* Update .gitignore by blessedcoolant in https://github.com/invoke-ai/InvokeAI/pull/1040
* reintroduce fix for m1 from https://github.com/invoke-ai/InvokeAI/pull/579 missing after merge by skurovec in https://github.com/invoke-ai/InvokeAI/pull/1056
* Update Stable_Diffusion_AI_Notebook.ipynb (Take 2) by ChloeL19 in https://github.com/invoke-ai/InvokeAI/pull/1060
* Print out the device type which is used by manzke in https://github.com/invoke-ai/InvokeAI/pull/1073
* Hires Addition by hipsterusername in https://github.com/invoke-ai/InvokeAI/pull/1063
* fix for "1 leaked semaphore objects to clean up at shutdown" on M1 by skurovec in https://github.com/invoke-ai/InvokeAI/pull/1081
* Forward dream.py to invoke.py using the same interpreter, add deprecation warning by db3000 in https://github.com/invoke-ai/InvokeAI/pull/1077
* fix noisy images at high step counts by lstein in https://github.com/invoke-ai/InvokeAI/pull/1086
* Generalize facetool strength argument by db3000 in https://github.com/invoke-ai/InvokeAI/pull/1078
* Enable fast switching among models at the invoke> command line by lstein in https://github.com/invoke-ai/InvokeAI/pull/1066
* Fix Typo, committed changing ldm environment to invokeai by jdries3 in https://github.com/invoke-ai/InvokeAI/pull/1095
* Update generate.py by unreleased in https://github.com/invoke-ai/InvokeAI/pull/1109
* Update 'ldm' env to 'invokeai' in troubleshooting steps by 19wolf in https://github.com/invoke-ai/InvokeAI/pull/1125
* Fixed documentation typos and resolved merge conflicts by rupeshs in https://github.com/invoke-ai/InvokeAI/pull/1123
* Fix broken doc links, fix malaprop in the project subtitle by majick in https://github.com/invoke-ai/InvokeAI/pull/1131
* Only output facetool parameters if enhancing faces by db3000 in https://github.com/invoke-ai/InvokeAI/pull/1119
* Update gitignore to ignore codeformer weights at new location by spezialspezial in https://github.com/invoke-ai/InvokeAI/pull/1136
* fix links to point to invoke-ai.github.io 1117 by mauwii in https://github.com/invoke-ai/InvokeAI/pull/1143
* Rework-mkdocs by mauwii in https://github.com/invoke-ai/InvokeAI/pull/1144
* add option to CLI and pngwriter that allows user to set PNG compression level by lstein in https://github.com/invoke-ai/InvokeAI/pull/1127
* Fix img2img DDIM index out of bound by wfng92 in https://github.com/invoke-ai/InvokeAI/pull/1137
* Fix gh actions by mauwii in https://github.com/invoke-ai/InvokeAI/pull/1128

New Contributors
* willwillems made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1030
* ChloeL19 made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1060
* manzke made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1073
* unreleased made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1109
* rupeshs made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1123
* majick made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1131
* wfng92 made their first contribution in https://github.com/invoke-ai/InvokeAI/pull/1137

**Full Changelog**: https://github.com/invoke-ai/InvokeAI/compare/v2.0.1...v2.0.2

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH

CVSS v2 Details

HIGH 10.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
COMPLETE
Integrity Impact (I)
COMPLETE
Availability Impact (A)
COMPLETE