Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CVAT missing validation for in-progress backup upload names
Vulnerability Description
CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 have no validation during the import process of a project or task backup to check that the filename specified in the query parameter refers to a TUS-uploaded file belonging to the same user. As a result, if an attacker with a CVAT account and a `user` role knows the filenames of other users' uploads, they could potentially access and steal data by creating projects or tasks using those files. This issue does not affect annotation or dataset TUS uploads, since in this case object-specific temporary directories are used. Users should upgrade to CVAT 2.40.0 or a later version to receive a patch. No known workarounds are available.
CVSS Information
N/A
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
CVAT.ai CVAT 安全漏洞
Vulnerability Description
CVAT.ai CVAT是CVAT.ai开源的一个数据处理工具。 CVAT.ai CVAT 2.2.0至2.39.0版本存在安全漏洞,该漏洞源于导入过程中缺少验证,可能导致数据泄露。
CVSS Information
N/A
Vulnerability Type
N/A