{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "c145d4604df67e6fc625992412eef0bf9a85e26b"
            }
          ],
          "repo": "https://github.com/google/voice-builder",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "f6660e6d8f0d1d931359d591dbdec580fef36d36"
            }
          ],
          "repo": "https://github.com/google/voice-builder",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "c145d4604df67e6fc625992412eef0bf9a85e26b"
            }
          ],
          "repo": "https://github.com/google/voice-builder",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "f6660e6d8f0d1d931359d591dbdec580fef36d36"
            }
          ],
          "repo": "https://github.com/google/voice-builder",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the servers. The component is: Two web servers in the projects expose three vulnerable endpoints that can be accessed remotely. The endpoints are defined at: - /tts: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/merlin_model_server/api.js#L34 - /alignment: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/festival_model_server/api.js#L28 - /tts: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/festival_model_server/api.js#L65. The attack vector is: Attacker sends a GET request to the vulnerable endpoint with a specially formatted query parameter. The fixed version is: After commit f6660e6d8f0d1d931359d591dbdec580fef36d36.",
  "id": "CVE-2019-1010200",
  "modified": "2026-03-13T21:47:46.509686027Z",
  "published": "2019-07-23T18:15:14.377Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/google/voice-builder/commit/c145d4604df67e6fc625992412eef0bf9a85e26b"
    },
    {
      "type": "FIX",
      "url": "https://github.com/google/voice-builder/commit/f6660e6d8f0d1d931359d591dbdec580fef36d36"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}