CVE-2024-37164

Name of the Vulnerable Software and Affected Versions Computer Vision Annotation Tool (CVAT) versions 2.1.0 through 2.14.3

Description The issue allows an attacker with a CVAT account to exploit a feature by specifying custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage, potentially probing the network for HTTP(S) servers and creating a cloud storage linked to an internal server. This could enable the attacker to list files, extract files, and/or overwrite files on the server, depending on the internal server's configuration.

Recommendations For Computer Vision Annotation Tool (CVAT) versions 2.1.0 through 2.14.3, upgrade to CVAT 2.14.3 to receive a patch, which applies existing SSRF mitigation measures to requests to cloud providers and prohibits access to intranet IP addresses by default. As a temporary workaround, consider using network security solutions such as virtual networks or firewalls to prohibit network access from the CVAT backend to unrelated servers on your internal network and/or require authentication for access to internal servers.