AVID-2026-R1544

Description

Computer Vision Annotation Tool (CVAT) access control is broken in several PATCH endpoints (CVE-2024-47172)

Details

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account may retrieve certain information about any project, task, job or membership resource on the CVAT instance. The information exposed in this way is the same as the information returned on a GET request to the resource. In addition, the attacker can also alter the default source and target storage associated with any project or task. Upgrade to CVAT 2.19.1 or any later version to fix the issue.

Reason for inclusion in AVID: CVE-2024-47172 targets CVAT, a widely-used AI data labeling tool. It describes broken access control (CWE-863) allowing information disclosure about projects/tasks/members and the ability to alter default storage associations, exploitable by an attacker with a CVAT account. CVAT is part of the AI data preparation and labeling pipeline, thus a software component used to build/train/deploy AI systems. The vulnerability is a software security issue with potential impact on data confidentiality and integrity within AI workflows, supported by CVSS details and advisories. This satisfies AI-related, GP AI supply chain, security/safety vuln, and sufficiency criteria.

References

• NVD entry
• https://github.com/cvat-ai/cvat/security/advisories/GHSA-gxhm-hg65-5gh2
• https://github.com/cvat-ai/cvat/commit/59ce6ca784a0d426b2cfb8cf2850ba1d520c03f5

Affected or Relevant Artifacts

• Developer: cvat-ai
• Deployer: cvat-ai
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-09-30
• Version: 0.3.3
• AVID Entry