jsbroks COCO Annotator Denial-of-Service Vulnerability in Endpoint /api/info/long_task

A denial-of-service vulnerability has been identified in jsbroks COCO Annotator versions through 0.11.1. The issue resides in the endpoint /api/info/long_task, which is accessible without authentication or rate limiting. This vulnerability allows remote users to enqueue Celery background tasks and create database entries with each request. The exploitation of this flaw can overwhelm the application's resources, causing it to become unresponsive, even after the attack has ceased.

Impact

Exploitation of this vulnerability allows for a complete denial-of-service condition, where the application becomes unresponsive and fails to load datasets. The attack also causes a significant backlog in the task queue, which must be manually cleared before the application can function normally again.

Reproduction

To reproduce this vulnerability, send a high volume of requests to the /api/info/long_task endpoint. This can be done using a command that pipes a sequence of numbers into curl, with multiple requests sent in parallel. After initiating the flood, the application will become unresponsive, and system logs will show a large number of tasks being created and inserted into the MongoDB database. The Celery queue depth will also increase rapidly, indicating that the workers are being overwhelmed.

Remediation

It is recommended to implement firewall rules to block or limit access to the vulnerable endpoint.