Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CVAT's export and backup-related API endpoints are susceptible to CSRF
Vulnerability Description
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
CVAT 安全漏洞
Vulnerability Description
CVAT是一种用于计算机视觉的交互式视频和图像注释工具。 CVAT 2.2.0版本至2.14.3之前版本存在安全漏洞。攻击者利用该漏洞可以从受害者有权导出的任何项目、任务或作业中获取媒体文件、注释、设置和其他信息。
CVSS Information
N/A
Vulnerability Type
N/A