CVE-2024-37306 (GCVE-0-2024-37306)
Vulnerability from cvelistv5
Published
2024-06-13 14:18
Modified
2024-08-02 03:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cvat:cvat:2.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cvat",
"vendor": "cvat",
"versions": [
{
"lessThan": "2.14.3",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-13T15:56:51.538326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T15:57:53.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7"
},
{
"name": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cvat",
"vendor": "cvat-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T14:18:28.853Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7"
},
{
"name": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce"
}
],
"source": {
"advisory": "GHSA-jpf9-646h-4px7",
"discovery": "UNKNOWN"
},
"title": "CVAT\u0027s export and backup-related API endpoints are susceptible to CSRF"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37306",
"datePublished": "2024-06-13T14:18:28.853Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-08-02T03:50:55.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-37306\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-13T15:56:51.538326Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:cvat:cvat:2.2.0:*:*:*:*:*:*:*\"], \"vendor\": \"cvat\", \"product\": \"cvat\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.2.0\", \"lessThan\": \"2.14.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-13T15:57:48.033Z\"}}], \"cna\": {\"title\": \"CVAT\u0027s export and backup-related API endpoints are susceptible to CSRF\", \"source\": {\"advisory\": \"GHSA-jpf9-646h-4px7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"cvat-ai\", \"product\": \"cvat\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.2.0, \u003c 2.14.3\"}]}], \"references\": [{\"url\": \"https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7\", \"name\": \"https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce\", \"name\": \"https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-13T14:18:28.853Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-37306\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-06-13T15:57:53.272Z\", \"dateReserved\": \"2024-06-05T20:10:46.497Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-06-13T14:18:28.853Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…