Missing Authorization in Computer Vision Annotation Tool (CVAT) - CVE-2024-45393
Published: September 10, 2024 / Updated: May 21, 2026
Vulnerability identifier: #VU132048
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-45393
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Intel
Affected software:
Computer Vision Annotation Tool (CVAT)
Computer Vision Annotation Tool (CVAT)
Detailed vulnerability description
The vulnerability allows a remote user to access webhook delivery information and trigger webhook deliveries for other users.
The vulnerability exists due to improper access control in endpoints related to webhook deliveries when handling requests for webhook delivery operations. A remote user can send crafted requests to view delivery information, redeliver past deliveries, or trigger ping events for webhooks belonging to other users.
The exposed delivery information may include details about the event that caused the delivery, including information about the affected object and the user who performed the action.
How to mitigate CVE-2024-45393
Install security update from vendor's website.