CVE-2022-31188

Опубликовано: 01 авг. 2022

Источник: nvd

CVSS3: 8.6

CVSS3: 9.8

EPSS Средний

Описание

CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.

Ссылки

http://packetstormsecurity.com/files/169814/CVAT-2.0-Server-Side-Request-Forgery.html
Exploit
Third Party Advisory
VDB Entry
https://github.com/cvat-ai/cvat/commit/6fad1764efd922d99dbcda28c4ee72d071aa5a07
Patch
Third Party Advisory
https://github.com/cvat-ai/cvat/security/advisories/GHSA-7vpj-j5xv-29pr
Patch
Third Party Advisory
http://packetstormsecurity.com/files/169814/CVAT-2.0-Server-Side-Request-Forgery.html
Exploit
Third Party Advisory
VDB Entry
https://github.com/cvat-ai/cvat/commit/6fad1764efd922d99dbcda28c4ee72d071aa5a07
Patch
Third Party Advisory
https://github.com/cvat-ai/cvat/security/advisories/GHSA-7vpj-j5xv-29pr
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cvat:cvat:*:*:*:*:*:*:*:*

Версия до 2.0.0 (исключая)

EPSS

Процентиль: 97%

0.35725

Средний

8.6 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-918

Связанные уязвимости

BDU:2022-06758

CVSS3: 9.8

fstec

больше 3 лет назад

Уязвимость программного средства аннотирования компьютерного зрения Computer Vision Annotation Tool (CVAT), связанная с недостаточной проверкой поступающих запросов, позволяющая нарушителю осуществить SSRF-атаку

EPSS

Процентиль: 97%

0.35725

Средний

8.6 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-918