CVE-2023-47117

Object Relational Mapper Leak Vulnerability in Filtering Task in Label Studio

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. In addition, Label Studio had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes. This vulnerability has been addressed in commit `f931d9d129` which is included in the 1.9.2post0 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Label Studio es una herramienta de etiquetado de datos de código abierto. En todas las versiones actuales de Label Studio anteriores a la 1.9.2post0, la aplicación permite a los usuarios configurar filtros de forma insegura para tareas de filtrado. Un atacante puede construir una cadena de filtros para filtrar tareas basadas en campos confidenciales para todas las cuentas de usuario en la plataforma explotando el Object Relational Mapper (ORM) de Django. Dado que los resultados de la consulta pueden ser manipulados por el filtro ORM, un atacante puede filtrar estos campos confidenciales carácter por carácter. Además, Label Studio tenía una clave secreta codificada que un atacante puede usar para falsificar un token de sesión de cualquier usuario explotando esta vulnerabilidad de fuga de ORM para filtrar hashes de contraseñas de cuentas. Esta vulnerabilidad se solucionó en el commit `f931d9d129` que se incluye en la versión 1.9.2post0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-30 CVE Reserved
2023-11-13 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-10-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw	2024-08-02

URL	Date	SRC
https://github.com/HumanSignal/label-studio/commit/f931d9d129002f54a495995774ce7384174cef5c	2023-11-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Humansignal Search vendor "Humansignal"		Label Studio Search vendor "Humansignal" for product "Label Studio"				< 1.9.2 Search vendor "Humansignal" for product "Label Studio" and version " < 1.9.2"		-		Affected
Humansignal Search vendor "Humansignal"		Label Studio Search vendor "Humansignal" for product "Label Studio"				1.9.2 Search vendor "Humansignal" for product "Label Studio" and version "1.9.2"		-		Affected