Computer Vision Annotation Tool Server-Side Request Forgery Vulnerability via Custom Cloud Storage Endpoints

A server-side request forgery (SSRF) vulnerability has been identified in the Computer Vision Annotation Tool (CVAT) versions 2.1.0 prior to 2.14.3. This vulnerability allows an attacker with a CVAT account to exploit custom endpoint URLs for cloud storage, targeting intranet IP addresses or internal domain names. By doing so, the attacker could probe the CVAT backend's network for HTTP(S) servers. If a compatible web server is found that allows anonymous access or accepts known credentials, the attacker could create a cloud storage link to that server. This could lead to unauthorized file listing, extraction of specific file types supported by CVAT, or overwriting files on the server with exported CVAT data.

Impact

Exploitation of this vulnerability could allow an attacker to probe internal networks for HTTP(S) servers and, if a suitable server is found, interact with it in ways that could include unauthorized access to files and overwriting server data with CVAT exports.

Remediation

Users are advised to upgrade to CVAT version 2.14.3 or later, where this vulnerability has been patched. In addition, network security measures such as virtual networks or firewalls can be implemented to restrict CVAT backend access to unrelated internal servers. For environments using internal servers, consider requiring authentication to access these resources.