CVE-2024-37306 – This is a Cross-Site Request Forgery (CSRF) vul... (How to Fix)

Q: What is the severity of CVE-2024-37306?

CVE-2024-37306 has a CVSS score of 7.1 (HIGH). This is a Cross-Site Request Forgery (CSRF) vulnerability in CVAT that allows attackers to trick authenticated users into performing unauthorized dataset exports or backups to cloud storage. Attackers can overwrite files in cloud storage accessible to the victim and potentially exfiltrate sensitive annotation data. Affects CVAT users with export permissions who visit malicious URLs.

📋 TL;DR

This is a Cross-Site Request Forgery (CSRF) vulnerability in CVAT that allows attackers to trick authenticated users into performing unauthorized dataset exports or backups to cloud storage. Attackers can overwrite files in cloud storage accessible to the victim and potentially exfiltrate sensitive annotation data. Affects CVAT users with export permissions who visit malicious URLs.

💻 Affected Systems

Products:

Computer Vision Annotation Tool (CVAT)

Versions: 2.2.0 to 2.14.2

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user authentication and export permissions. Cloud storage integration must be configured.

📦 What is this software?

Computer Vision Annotation Tool by Cvat

View all CVEs affecting Computer Vision Annotation Tool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of cloud storage data integrity and confidentiality - attackers can overwrite critical files and exfiltrate sensitive annotation datasets, media files, and project configurations.

🟠

Likely Case

Data corruption in cloud storage and unauthorized access to annotation datasets, potentially exposing sensitive training data and intellectual property.

🟢

If Mitigated

Limited impact with proper CSRF protections and cloud storage access controls in place.

🌐 Internet-Facing: HIGH - Web application accessible over internet with CSRF vulnerability that can be exploited via malicious URLs.

🏢 Internal Only: MEDIUM - Still exploitable via internal phishing or compromised internal sites, but requires authenticated user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated users into visiting malicious URLs. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.3

Vendor Advisory: https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7

Restart Required: Yes

Instructions:

1. Backup your CVAT data and configurations. 2. Update CVAT to version 2.14.3 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart all CVAT services. 4. Verify the fix by checking the version and testing export functionality.

🔧 Temporary Workarounds

No official workarounds

all

Vendor states no known workarounds available

🧯 If You Can't Patch

Implement strict cloud storage access controls and audit logging
Educate users about phishing risks and implement URL filtering

🔍 How to Verify

Check if Vulnerable:

Check CVAT version: if between 2.2.0 and 2.14.2 inclusive, system is vulnerable.

Check Version:

docker exec cvat_server python manage.py --version

Verify Fix Applied:

Verify CVAT version is 2.14.3 or later and test export functionality with CSRF protection enabled.

📡 Detection & Monitoring

Log Indicators:

Unexpected export/backup requests
Export operations to unfamiliar cloud storage locations
Multiple failed export attempts

Network Indicators:

HTTP POST requests to /api/*/export endpoints without proper referrer headers
Requests with suspicious origin headers

SIEM Query:

source="cvat" AND (event="export" OR event="backup") AND user_agent CONTAINS "malicious" OR referrer NOT IN allowed_domains

📊 Metadata

CVE ID: CVE-2024-37306

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-352

Published: June 13, 2024

Last Updated: January 21, 2025

🔗 References

https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce Patch
https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7 Patch,Vendor Advisory
https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce Patch
https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37306, you might also want to check these: