{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37306", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-05T20:10:46.497Z", "datePublished": "2024-06-13T14:18:28.853Z", "dateUpdated": "2024-08-02T03:50:55.964Z"}, "containers": {"cna": {"title": "CVAT's export and backup-related API endpoints are susceptible to CSRF", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7"}, {"name": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce", "tags": ["x_refsource_MISC"], "url": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce"}], "affected": [{"vendor": "cvat-ai", "product": "cvat", "versions": [{"version": ">= 2.2.0, < 2.14.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-13T14:18:28.853Z"}, "descriptions": [{"lang": "en", "value": "Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available."}], "source": {"advisory": "GHSA-jpf9-646h-4px7", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "cvat", "product": "cvat", "cpes": ["cpe:2.3:a:cvat:cvat:2.2.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.2.0", "status": "affected", "lessThan": "2.14.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-13T15:56:51.538326Z", "id": "CVE-2024-37306", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-13T15:57:53.272Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.964Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7"}, {"name": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37306", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-13T15:56:51.538326Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cvat:cvat:2.2.0:*:*:*:*:*:*:*"], "vendor": "cvat", "product": "cvat", "versions": [{"status": "affected", "version": "2.2.0", "lessThan": "2.14.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-13T15:57:48.033Z"}}], "cna": {"title": "CVAT's export and backup-related API endpoints are susceptible to CSRF", "source": {"advisory": "GHSA-jpf9-646h-4px7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cvat-ai", "product": "cvat", "versions": [{"status": "affected", "version": ">= 2.2.0, < 2.14.3"}]}], "references": [{"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7", "name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce", "name": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-13T14:18:28.853Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37306", "state": "PUBLISHED", "dateUpdated": "2024-06-13T15:57:53.272Z", "dateReserved": "2024-06-05T20:10:46.497Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-13T14:18:28.853Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2D2208D-9E3B-4621-896F-8CFAD83E10F6", "versionEndExcluding": "2.14.3", "versionStartIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available."}, {"lang": "es", "value": "Computer Vision Annotation Tool (CVAT) es una herramienta interactiva de anotaci\u00f3n de im\u00e1genes y videos para visi\u00f3n por computadora. A partir de la versi\u00f3n 2.2.0 y antes de la versi\u00f3n 2.14.3, si un atacante puede enga\u00f1ar a un usuario CVAT que ha iniciado sesi\u00f3n para que visite una URL maliciosa, puede iniciar una exportaci\u00f3n de conjunto de datos o una copia de seguridad de un proyecto, tarea o trabajo que la v\u00edctima haya realizado. El usuario tiene permiso para exportar a un almacenamiento en la nube al que el usuario v\u00edctima tiene acceso. El atacante puede elegir el nombre del archivo resultante. Esto implica que el atacante puede sobrescribir archivos arbitrarios en cualquier almacenamiento en la nube al que la v\u00edctima pueda acceder y, si el atacante tiene acceso de lectura al almacenamiento en la nube utilizado en el ataque, puede obtener archivos multimedia, anotaciones, configuraciones y otra informaci\u00f3n de cualquier proyecto, tareas o trabajos que la v\u00edctima tiene permiso para exportar. La versi\u00f3n 2.14.3 contiene una soluci\u00f3n para el problema. No hay workarounds disponibles."}], "id": "CVE-2024-37306", "lastModified": "2025-01-21T14:37:34.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-13T15:15:53.333", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}