CVAT Privilege Escalation Vulnerability for Staff Users

A vulnerability in CVAT (Computer Vision Annotation Tool) versions 1.0.0 prior to 2.54.0 allows users with staff status to change their permissions arbitrarily. This includes granting themselves superuser status and access to the admin group, which provides full access to the CVAT instance's data. The issue arises because the PATCH /api/users/<id> endpoint permits staff users to modify all fields of their user profile, including sensitive permissions. In response to this vulnerability, CVAT version 2.55.0 has been released, which restricts staff users from self-promoting to superuser status. As a temporary measure, administrators can revoke staff status from users who should not have superuser privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling staff users to gain superuser rights and access sensitive data within the CVAT instance.

Reproduction

To reproduce this vulnerability, log into a CVAT instance as a user with staff status. Navigate to the user management API endpoint and use the PATCH method to modify your user profile. Include the 'is_superuser' field and set it to true. This action will grant you full administrative rights.

Remediation

Users can upgrade to CVAT version 2.55.0 or later. Additionally, review the list of users with staff status and revoke it from any users that should not have superuser privileges.