SB20240910158 - Missing Authorization in Computer Vision Annotation Tool (CVAT)

Description

This security bulletin contains information about 1 vulnerability.

1) Missing Authorization (CVE-ID: CVE-2024-45393)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to access webhook delivery information and trigger webhook deliveries for other users.

The vulnerability exists due to improper access control in endpoints related to webhook deliveries when handling requests for webhook delivery operations. A remote user can send crafted requests to view delivery information, redeliver past deliveries, or trigger ping events for webhooks belonging to other users.

The exposed delivery information may include details about the event that caused the delivery, including information about the affected object and the user who performed the action.

Remediation

Install update from vendor's website.

References

• https://github.com/cvat-ai/cvat/security/advisories/GHSA-p3c9-m7jr-jxxj
• https://github.com/cvat-ai/cvat/commit/0fafb797fdf022fb83ce81c6405ba19b583a236f