CVE-2024-10141
Published: 19 October 2024
Summary
CVE-2024-10141 is a medium-severity Predictable from Observable State (CWE-341) vulnerability in Jsbroks Coco Annotator. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Computer Vision; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-32933
Vulnerability details
A vulnerability, which was classified as problematic, was found in jsbroks COCO Annotator 0.11.1. This affects an unknown part of the component Session Handler. The manipulation of the argument SECRET_KEY leads to predictable from observable state. It is possible to…
more
initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Computer Vision
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- COCO Annotator is a web-based tool for annotating images in COCO format, primarily used for preparing datasets in computer vision tasks such as object detection in AI/ML workflows.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the session handler due to a default/static SECRET_KEY enables remote attackers to forge arbitrary session cookies, impersonating any user including administrators, aligning with exploitation of public-facing web applications and forging web credentials.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.