Attackers can steal sensitive data from CVAT users
CVE-2024-37306

7.1HIGH

Key Information:

Vendor: Cvat-ai
Status: Cvat
Vendor: CVE Published:; 13 June 2024

What is CVE-2024-37306?

The Computer Vision Annotation Tool (CVAT) prior to version 2.14.3 is susceptible to an arbitrary file overwrite vulnerability. This issue arises when an attacker successfully deceives a logged-in CVAT user into navigating to a malicious URL. Upon doing so, the attacker can trigger a dataset export or backup from projects, tasks, or jobs that the victim user has authorization to access. The attacker can then specify the name of the resulting file, potentially leading to overwriting of arbitrary files in any accessible cloud storage. Moreover, if the attacker possesses read access to the victim's cloud storage, they have the capability to extract sensitive media files, annotations, settings, and other pertinent information from the projects that the victim can export. Version 2.14.3 addresses this security issue. Currently, no workarounds are available.

Affected Version(s)

cvat >= 2.2.0, < 2.14.3

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 13, 2024
Vulnerability Reserved
Jun 5, 2024

Cvat-ai

What is CVE-2024-37306?

Affected Version(s)

References

CVSS V3.1

Timeline