Skip to main content

Computer Vision Annotation Tool CVE-2024-37306

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-06-13 security-advisories@github.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 13, 2024 - 15:15 nvd
HIGH 7.1

DescriptionNVD

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available.

AnalysisAI

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available. Affected products include: Cvat Computer Vision Annotation Tool. Version information: version 2.2.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2022-31188 CRITICAL POC
9.8 Aug 01

CVAT is an opensource interactive video and image annotation tool for computer vision. Rated critical severity (CVSS 9.8

CVE-2026-23526 HIGH
8.8 Jan 21

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 8.8 HIGH]

CVE-2024-37164 HIGH
8.5 Jun 13

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high

CVE-2025-49135 MEDIUM
6.5 Jun 25

CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 ha

CVE-2024-45393 MEDIUM
6.4 Sep 10

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2024-47064 MEDIUM
6.3 Sep 30

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2024-47063 MEDIUM
6.2 Sep 30

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2026-23516 MEDIUM
5.4 Jan 21

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

CVE-2024-47172 MEDIUM
5.4 Sep 30

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2025-48381 MEDIUM
5.3 May 30

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medi

CVE-2025-23045 HIGH
8.7 Jan 28

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated high

Share

CVE-2024-37306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy