CVAT Vulnerability Allows Attacker to Probe Network and Overwrite Files
CVE-2024-37164

8.5HIGH

Key Information:

Vendor: Cvat-ai
Status: Cvat
Vendor: CVE Published:; 13 June 2024

What is CVE-2024-37164?

The Computer Vision Annotation Tool (CVAT) is designed for interactive video and image annotation. A vulnerability exists that permits users with CVAT accounts to specify custom endpoint URLs that utilize intranet IP addresses or internal domain names. This flaw enables an attacker to scan the internal network for accessible HTTP(S) servers. If the exploited network hosts a web server compatible with Amazon S3 or Azure Blob Storage APIs and is either open for anonymous access or requires known credentials, the attacker gains unauthorized access to data. They may perform operations such as listing files, downloading supported file types like media data, annotation datasets, project backups, and potentially overwriting existing server files with their data. Upgrading to CVAT 2.14.3 is critical to implement essential SSRF mitigations, which block default access to intranet IP addresses. Additional security measures include utilizing virtual networks and firewalls to safeguard internal server access.

Affected Version(s)

cvat >= 2.1.0, < 2.14.3

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740...

x_refsource_MISC

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 13, 2024
Vulnerability Reserved
Jun 3, 2024

Cvat-ai

What is CVE-2024-37164?

Affected Version(s)

References

CVSS V3.1

Timeline