{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37164", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-03T17:29:38.330Z", "datePublished": "2024-06-13T14:10:16.920Z", "dateUpdated": "2024-08-02T03:50:54.673Z"}, "containers": {"cna": {"title": "CVAT SSRF via custom cloud storage endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6"}, {"name": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c", "tags": ["x_refsource_MISC"], "url": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c"}], "affected": [{"vendor": "cvat-ai", "product": "cvat", "versions": [{"version": ">= 2.1.0, < 2.14.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-13T14:16:42.293Z"}, "descriptions": [{"lang": "en", "value": "Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT account can exploit this feature by specifying URLs whose host part is an intranet IP address or an internal domain name. By doing this, the attacker may be able to probe the network that the CVAT backend runs in for HTTP(S) servers. In addition, if there is a web server on this network that is sufficiently API-compatible with an Amazon S3 or Azure Blob Storage endpoint, and either allows anonymous access, or allows authentication with credentials that are known by the attacker, then the attacker may be able to create a cloud storage linked to this server. They may then be able to list files on the server; extract files from the server, if these files are of a type that CVAT supports reading from cloud storage (media data (such as images/videos/archives), importable annotations or datasets, task/project backups); and/or overwrite files on this server with exported annotations/datasets/backups. The exact capabilities of the attacker will depend on how the internal server is configured. Users should upgrade to CVAT 2.14.3 to receive a patch. In this release, the existing SSRF mitigation measures are applied to requests to cloud providers, with access to intranet IP addresses prohibited by default. Some workarounds are also available. One may use network security solutions such as virtual networks or firewalls to prohibit network access from the CVAT backend to unrelated servers on your internal network and/or require authentication for access to internal servers."}], "source": {"advisory": "GHSA-q684-4jjh-83g6", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "cvat-ai", "product": "cvat", "cpes": ["cpe:2.3:a:cvat-ai:cvat:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.0", "versionType": "custom"}, {"version": "2.1.0", "status": "affected", "lessThanOrEqual": "2.14.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-13T15:59:39.498525Z", "id": "CVE-2024-37164", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-13T16:04:09.305Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:54.673Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6"}, {"name": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6", "name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c", "name": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:54.673Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37164", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-13T15:59:39.498525Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cvat-ai:cvat:*:*:*:*:*:*:*:*"], "vendor": "cvat-ai", "product": "cvat", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}, {"status": "affected", "version": "2.1.0", "versionType": "custom", "lessThanOrEqual": "2.14.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-13T16:04:04.494Z"}}], "cna": {"title": "CVAT SSRF via custom cloud storage endpoints", "source": {"advisory": "GHSA-q684-4jjh-83g6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "cvat-ai", "product": "cvat", "versions": [{"status": "affected", "version": ">= 2.1.0, < 2.14.3"}]}], "references": [{"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6", "name": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c", "name": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT account can exploit this feature by specifying URLs whose host part is an intranet IP address or an internal domain name. By doing this, the attacker may be able to probe the network that the CVAT backend runs in for HTTP(S) servers. In addition, if there is a web server on this network that is sufficiently API-compatible with an Amazon S3 or Azure Blob Storage endpoint, and either allows anonymous access, or allows authentication with credentials that are known by the attacker, then the attacker may be able to create a cloud storage linked to this server. They may then be able to list files on the server; extract files from the server, if these files are of a type that CVAT supports reading from cloud storage (media data (such as images/videos/archives), importable annotations or datasets, task/project backups); and/or overwrite files on this server with exported annotations/datasets/backups. The exact capabilities of the attacker will depend on how the internal server is configured. Users should upgrade to CVAT 2.14.3 to receive a patch. In this release, the existing SSRF mitigation measures are applied to requests to cloud providers, with access to intranet IP addresses prohibited by default. Some workarounds are also available. One may use network security solutions such as virtual networks or firewalls to prohibit network access from the CVAT backend to unrelated servers on your internal network and/or require authentication for access to internal servers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-13T14:16:42.293Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37164", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:50:54.673Z", "dateReserved": "2024-06-03T17:29:38.330Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-13T14:10:16.920Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "79D9A221-39D1-431D-8E97-21847C8ACEB6", "versionEndExcluding": "2.14.3", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT account can exploit this feature by specifying URLs whose host part is an intranet IP address or an internal domain name. By doing this, the attacker may be able to probe the network that the CVAT backend runs in for HTTP(S) servers. In addition, if there is a web server on this network that is sufficiently API-compatible with an Amazon S3 or Azure Blob Storage endpoint, and either allows anonymous access, or allows authentication with credentials that are known by the attacker, then the attacker may be able to create a cloud storage linked to this server. They may then be able to list files on the server; extract files from the server, if these files are of a type that CVAT supports reading from cloud storage (media data (such as images/videos/archives), importable annotations or datasets, task/project backups); and/or overwrite files on this server with exported annotations/datasets/backups. The exact capabilities of the attacker will depend on how the internal server is configured. Users should upgrade to CVAT 2.14.3 to receive a patch. In this release, the existing SSRF mitigation measures are applied to requests to cloud providers, with access to intranet IP addresses prohibited by default. Some workarounds are also available. One may use network security solutions such as virtual networks or firewalls to prohibit network access from the CVAT backend to unrelated servers on your internal network and/or require authentication for access to internal servers."}, {"lang": "es", "value": "Computer Vision Annotation Tool (CVAT) es una herramienta interactiva de anotaci\u00f3n de im\u00e1genes y videos para visi\u00f3n por computadora. CVAT permite a los usuarios proporcionar URL de endpoints personalizados para almacenamientos en la nube basados en Amazon S3 y Azure Blob Storage. A partir de la versi\u00f3n 2.1.0 y antes de la versi\u00f3n 2.14.3, un atacante con una cuenta CVAT puede aprovechar esta caracter\u00edstica especificando URL cuya parte del host sea una direcci\u00f3n IP de intranet o un nombre de dominio interno. Al hacer esto, el atacante puede sondear la red en la que se ejecuta el backend CVAT en busca de servidores HTTP(S). Adem\u00e1s, si hay un servidor web en esta red que es suficientemente compatible con API con un endpoint de Amazon S3 o Azure Blob Storage y permite el acceso an\u00f3nimo o permite la autenticaci\u00f3n con credenciales conocidas por el atacante, entonces el atacante puede poder crear un almacenamiento en la nube vinculado a este servidor. Luego podr\u00e1n enumerar archivos en el servidor; extraer archivos del servidor, si estos archivos son de un tipo que CVAT admite la lectura desde el almacenamiento en la nube (datos multimedia (como im\u00e1genes/videos/archivos), anotaciones o conjuntos de datos importables, copias de seguridad de tareas/proyectos); y/o sobrescribir archivos en este servidor con anotaciones/conjuntos de datos/copias de seguridad exportados. Las capacidades exactas del atacante depender\u00e1n de c\u00f3mo est\u00e9 configurado el servidor interno. Los usuarios deben actualizar a CVAT 2.14.3 para recibir un parche. En esta versi\u00f3n, las medidas de mitigaci\u00f3n SSRF existentes se aplican a las solicitudes a proveedores de nube, y el acceso a direcciones IP de intranet est\u00e1 prohibido de forma predeterminada. Tambi\u00e9n hay algunas soluciones disponibles. Se pueden utilizar soluciones de seguridad de red, como redes virtuales o firewalls, para prohibir el acceso a la red desde el backend de CVAT a servidores no relacionados en su red interna y/o requerir autenticaci\u00f3n para acceder a los servidores internos."}], "id": "CVE-2024-37164", "lastModified": "2025-01-21T14:35:52.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-13T15:15:52.990", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/cvat-ai/cvat/commit/f2346934c80bd91740f55c2788ef7d535a291d4c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-q684-4jjh-83g6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}