CVAT Email Verification Bypass Vulnerability in Basic Authentication

A vulnerability exists in CVAT (Computer Vision Annotation Tool) versions 1.1.0 prior to 2.41.0, allowing users to bypass email verification when registering accounts via Basic HTTP Authentication. This flaw enabled the creation of accounts with fake email addresses, which could then be used as verified users. Furthermore, the absence of proper email verification opened the door for bot signups and related activities.

Impact

Exploitation of this vulnerability allowed for the creation of accounts without valid email verification, enabling unauthorized access as a verified user. This also facilitated bot signups, potentially leading to automated abuse of the application.

Reproduction

To reproduce this vulnerability, register an account using a fake email address while Basic HTTP Authentication is enabled. The system will accept the registration as verified, bypassing the email verification process. This can be automated with a bot that signs up using invalid email addresses.

Remediation

Users can upgrade to CVAT version 2.42.0 or later, where this vulnerability has been patched. CVAT Enterprise customers can disable registration as a workaround.