CVE-2024-37306

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-37306
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37306.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-37306
Aliases
  • GHSA-jpf9-646h-4px7
Published
2024-06-13T15:15:53Z
Modified
2024-06-14T02:12:25.870200Z
Summary
[none]
Details

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available.

References

Affected packages

Git / github.com/cvat-ai/cvat

Affected ranges

Type
GIT
Repo
https://github.com/cvat-ai/cvat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.2.0

v0.*

v0.3.0
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1

v1.*

v1.0.0
v1.0.0-alpha
v1.0.0-beta.1
v1.0.0-beta.2
v1.1.0
v1.1.0-alpha
v1.1.0-beta
v1.2.0
v1.2.0-beta
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0

v2.*

v2.0.0
v2.0.0-alpha
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6