Computer Vision Annotation Tool Information Disclosure Vulnerability

A vulnerability allowing information disclosure has been identified in the Computer Vision Annotation Tool (CVAT) versions 2.4.0 prior to 2.38.0. An authenticated user may exploit this vulnerability to retrieve the IDs and names of all tasks, projects, labels, as well as the IDs of all jobs and quality reports on the CVAT instance. This issue can also lead to a denial-of-service condition by tying up system resources, which may deny access to legitimate users.

Impact

Exploitation of this vulnerability could result in unauthorized information disclosure, allowing users to access sensitive data related to tasks, projects, labels, jobs, and quality reports on the CVAT instance. Additionally, if the instance has a large number of resources, this could cause a denial-of-service condition by consuming system resources and disrupting access for legitimate users.

Remediation

Users are advised to upgrade to CVAT version 2.38.0 or later.