We use cookies to improve your experience on our site.
AVID-2026-R1009
Description
Vulnerability CVE-2022-27234
Details
Server-side request forgery in the CVAT software maintained by Intel(R) before version 2.0.1 may allow an authenticated user to potentially enable information disclosure via network access.
Reason for inclusion in AVID: CVAT is an AI data-labeling tool used within AI/ML pipelines. The CVE-2022-27234 describes a server-side request forgery vulnerability in CVAT (Intel-maintained) that could lead to information disclosure. This directly concerns software in the AI stack (data labeling tooling and deployment of AI infrastructure) and is a vulnerability in a component used to build/train/deploy AI systems. Therefore it is relevant to the AI supply chain and security, with ample evidence provided by the CVE/NVD/Intel advisory.
References
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | CVAT software maintained by Intel(R) |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Base Score | 4.3 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | NONE |
| Availability Impact | NONE |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-02-16
- Version: 0.3.3
- AVID Entry