Skip to main content

Computer Vision Annotation Tool CVE-2024-37164

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2024-06-13 security-advisories@github.com
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 13, 2024 - 15:15 nvd
HIGH 8.5

DescriptionNVD

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT account can exploit this feature by specifying URLs whose host part is an intranet IP address or an internal domain name. By doing this, the attacker may be able to probe the network that the CVAT backend runs in for HTTP(S) servers. In addition, if there is a web server on this network that is sufficiently API-compatible with an Amazon S3 or Azure Blob Storage endpoint, and either allows anonymous access, or allows authentication with credentials that are known by the attacker, then the attacker may be able to create a cloud storage linked to this server. They may then be able to list files on the server; extract files from the server, if these files are of a type that CVAT supports reading from cloud storage (media data (such as images/videos/archives), importable annotations or datasets, task/project backups); and/or overwrite files on this server with exported annotations/datasets/backups. The exact capabilities of the attacker will depend on how the internal server is configured. Users should upgrade to CVAT 2.14.3 to receive a patch. In this release, the existing SSRF mitigation measures are applied to requests to cloud providers, with access to intranet IP addresses prohibited by default. Some workarounds are also available. One may use network security solutions such as virtual networks or firewalls to prohibit network access from the CVAT backend to unrelated servers on your internal network and/or require authentication for access to internal servers.

AnalysisAI

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT account can exploit this feature by specifying URLs whose host part is an intranet IP address or an internal domain name. By doing this, the attacker may be able to probe the network that the CVAT backend runs in for HTTP(S) servers. In addition, if there is a web server on this network that is sufficiently API-compatible with an Amazon S3 or Azure Blob Storage endpoint, and either allows anonymous access, or allows authentication with credentials that are known by the attacker, then the attacker may be able to create a cloud storage linked to this server. They may then be able to list files on the server; extract files from the server, if these files are of a type that CVAT supports reading from cloud storage (media data (such as images/videos/archives), importable annotations or datasets, task/project backups); and/or overwrite files on this server with exported annotations/datasets/backups. The exact capabilities of the attacker will depend on how the internal server is configured. Users should upgrade to CVAT 2.14.3 to receive a patch. In this release, the existing SSRF mitigation measures are applied to requests to cloud providers, with access to intranet IP addresses prohibited by default. Some workarounds are also available. One may use network security solutions such as virtual networks or firewalls to prohibit network access from the CVAT backend to unrelated servers on your internal network and/or require authentication for access to internal servers. Affected products include: Cvat Computer Vision Annotation Tool. Version information: version 2.1.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

CVE-2022-31188 CRITICAL POC
9.8 Aug 01

CVAT is an opensource interactive video and image annotation tool for computer vision. Rated critical severity (CVSS 9.8

CVE-2026-23526 HIGH
8.8 Jan 21

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 8.8 HIGH]

CVE-2024-37306 HIGH
7.1 Jun 13

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high

CVE-2025-49135 MEDIUM
6.5 Jun 25

CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 ha

CVE-2024-45393 MEDIUM
6.4 Sep 10

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2024-47064 MEDIUM
6.3 Sep 30

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2024-47063 MEDIUM
6.2 Sep 30

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2026-23516 MEDIUM
5.4 Jan 21

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

CVE-2024-47172 MEDIUM
5.4 Sep 30

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2025-48381 MEDIUM
5.3 May 30

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2025-23045 HIGH
8.7 Jan 28

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high

Share

CVE-2024-37164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy