CVE-2023-47116

Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack.

Label Studio es una popular herramienta de etiquetado de datos de código abierto. La vulnerabilidad afecta a todas las versiones de Label Studio anteriores a la 1.11.0 y se probó en la versión 1.8.2. Las protecciones SSRF de Label Studio que se pueden habilitar configurando la variable de entorno `SSRF_PROTECTION_ENABLED` se pueden omitir para acceder a los servidores web internos. Esto se debe a que la validación SSRF actual se realiza ejecutando una única búsqueda de DNS para verificar que la dirección IP no esté en un rango de subred excluido. Esta protección se puede omitir utilizando la redirección HTTP o realizando un ataque de vinculación de DNS.

*Credits: N/A

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-30 CVE Reserved
2024-01-31 CVE Published
2024-02-10 EPSS Updated
2024-08-02 CVE Updated
2024-08-02 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (3)

URL	Tag	Source
https://github.com/HumanSignal/label-studio/releases/tag/1.11.0	Release Notes

URL	Date	SRC
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r	2024-08-02

URL	Date	SRC
https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64	2024-02-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Humansignal Search vendor "Humansignal"		Label Studio Search vendor "Humansignal" for product "Label Studio"				< 1.11.0 Search vendor "Humansignal" for product "Label Studio" and version " < 1.11.0"		-		Affected