CVE-2024-37306

HIGH EPSS 10.6%
Published Jun 13, 20242y ago · Modified Jun 17, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published Jun 13, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
10.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

VendorProductVersionRange
cvatcomputer_vision_annotation_tool*≥2.2.0  –  <2.14.3

References 2

  • github.com https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce
    Patch
  • github.com https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7
    PatchVendor Advisory

Remediation

  • github.com https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce
    Patch
  • github.com https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7
    PatchVendor Advisory