CVE-2025-54573

{"id": "CVE-2025-54573", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-07-30T15:15:35.707", "references": [{"url": "https://github.com/cvat-ai/cvat/commit/bc20eff16b8406fbb755f6540e6f269da0c9c5b2", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-fxgh-m76j-242q", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification check leaves the system open to bot signups and further usage. CVAT 2.42.0 and later versions contain a fix for the issue. CVAT Enterprise customers have a workaround available; those customers may disable registration to prevent this issue."}, {"lang": "es", "value": "CVAT es una herramienta interactiva de c\u00f3digo abierto para la anotaci\u00f3n de im\u00e1genes y videos para visi\u00f3n artificial. En las versiones 1.1.0 a 2.41.0, la verificaci\u00f3n de correo electr\u00f3nico no se aplicaba al usar la autenticaci\u00f3n HTTP b\u00e1sica. Como resultado, los usuarios pod\u00edan crear cuentas con direcciones de correo electr\u00f3nico falsas y usar el producto como usuarios verificados. Adem\u00e1s, la falta de verificaci\u00f3n de correo electr\u00f3nico deja el sistema expuesto a registros de bots y a otros usos. CVAT 2.42.0 y versiones posteriores incluyen una soluci\u00f3n para este problema. Los clientes de CVAT Enterprise tienen una soluci\u00f3n alternativa; pueden desactivar el registro para evitar este problema."}], "lastModified": "2025-09-11T15:52:45.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CFECB2B9-8BE0-45D7-8A9B-2D5DF510EA3A", "versionEndExcluding": "2.42.0", "versionStartIncluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}