CVE-2022-31188

Server-Side Request Forgery Vulnerability in Computer Vision Annotation Tool (CVAT)

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.

CVAT es una herramienta de anotación de vídeo e imagen interactiva de código abierto para la visión por ordenador. Las versiones anteriores a 2.0.0, están sujetas a una vulnerabilidad de tipo Server-side request forgery (SSRF). Ha sido añadida la comprobación de las urls usadas en la ruta de código afectada en versión 2.0.0. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema

CVAT version 2.0 suffers from a server-side request forgery vulnerability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-08-01 CVE Published
2022-09-09 First Exploit
2024-08-03 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC
https://www.exploit-db.com/exploits/51030	2022-11-11
https://github.com/emirpolatt/CVE-2022-31188	2022-09-09
http://packetstormsecurity.com/files/169814/CVAT-2.0-Server-Side-Request-Forgery.html	2024-08-03

URL	Date	SRC
https://github.com/cvat-ai/cvat/commit/6fad1764efd922d99dbcda28c4ee72d071aa5a07	2022-12-08
https://github.com/cvat-ai/cvat/security/advisories/GHSA-7vpj-j5xv-29pr	2022-12-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cvat Search vendor "Cvat"		Cvat Search vendor "Cvat" for product "Cvat"				< 2.0.0 Search vendor "Cvat" for product "Cvat" and version " < 2.0.0"		-		Affected