CVE-2024-37306

Name of the Vulnerable Software and Affected Versions Computer Vision Annotation Tool (CVAT) versions 2.2.0 through 2.14.3

Description The issue allows an attacker to initiate a dataset export or a backup from a project, task, or job that the victim user has permission to export into a cloud storage that the victim user has access to, by tricking a logged-in CVAT user into visiting a malicious URL. The attacker can choose the name of the resulting file, which implies they can overwrite arbitrary files in any cloud storage the victim can access. If the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings, and other information from any projects, tasks, or jobs that the victim has permission to export.

Recommendations For versions prior to 2.14.3, update to version 2.14.3 to resolve the issue. As a temporary workaround, consider restricting access to cloud storage for CVAT users to minimize the risk of exploitation. Avoid using CVAT to export datasets or backups to cloud storage until the issue is resolved.