CVE-2024-45393
📋 TL;DR
This vulnerability in CVAT allows authenticated attackers to view webhook delivery information for any webhook on the instance, including those belonging to other users. Attackers can also redeliver past webhook events and trigger ping events for any webhook. All CVAT instances running versions before 2.18.0 are affected.
💻 Affected Systems
- Computer Vision Annotation Tool (CVAT)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive information about other users' activities, manipulate webhook deliveries to trigger unintended actions in integrated systems, and potentially escalate privileges by analyzing webhook data.
Likely Case
Unauthorized access to webhook delivery logs containing sensitive information about other users' activities and objects, potentially exposing confidential project details and user actions.
If Mitigated
Limited to authenticated users only, with proper access controls preventing exposure of critical secrets or system compromise.
🎯 Exploit Status
Exploitation requires a valid CVAT account. The vulnerability is in the webhook API endpoints and can be exploited through standard HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.18.0 or later
Vendor Advisory: https://github.com/cvat-ai/cvat/security/advisories/GHSA-p3c9-m7jr-jxxj
Restart Required: Yes
Instructions:
1. Backup your CVAT data and configuration. 2. Stop the CVAT service. 3. Update to CVAT version 2.18.0 or later using your deployment method (Docker, Kubernetes, etc.). 4. Restart the CVAT service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Webhooks
allTemporarily disable all webhook functionality to prevent exploitation
# Modify CVAT configuration to disable webhooks
# Check your deployment method for webhook configuration
Restrict User Access
allLimit user accounts to only trusted personnel and implement strict access controls
# Review and remove unnecessary user accounts
# Implement IP whitelisting if possible
🧯 If You Can't Patch
- Implement network segmentation to isolate CVAT instances from sensitive systems
- Enable detailed logging and monitoring of webhook API access patterns
🔍 How to Verify
Check if Vulnerable:
Check if your CVAT version is below 2.18.0 by accessing the web interface or running version check commands specific to your deployment method.Check Version:
# For Docker deployments: docker exec <cvat_container> python -c "import cvat; print(cvat.__version__)"Verify Fix Applied:
After updating, verify the version is 2.18.0 or later and test that authenticated users can only access their own webhook information.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to webhook delivery endpoints
- Multiple webhook redelivery requests from single user accounts
- Access to webhook endpoints with user IDs not matching the authenticated user
Network Indicators:
- Unusual patterns of API calls to /api/webhooks/deliveries endpoints
- Multiple POST requests to webhook redelivery endpoints
SIEM Query:
source="cvat" AND (uri_path="/api/webhooks/deliveries" OR uri_path="/api/webhooks/*/redeliver") AND user_id!=target_user_id