CVE-2022-36551
published 2022-10-03CVE-2022-36551: A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated…
PriorityP348medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
5.09%
91.3th percentile
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| heartex | label_studio | <= 1.5.0 | — |
| humansignal | label-studio | >= 0 < 1.6.0 | 1.6.0 |
| humansignal | label-studio | >= 0 < 1.5.0.post0 | 1.5.0.post0 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
osv·2022-10-04
CVE-2022-36551 [HIGH] Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. This issue is fixed in version 1.6.0.
GHSA
Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
ghsa·2022-10-04
CVE-2022-36551 [HIGH] CWE-918 Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. This issue is fixed in version 1.6.0.
OSV
CVE-2022-36551: A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1
osv·2022-10-03
CVE-2022-36551 CVE-2022-36551: A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.
No detection rules found.
No writeups or analysis indexed.
http://heartex.comhttp://labelstud.iohttp://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.htmlhttps://github.com/heartexlabs/label-studio/pull/2840http://heartex.comhttp://labelstud.iohttp://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.htmlhttps://github.com/heartexlabs/label-studio/pull/2840
2022-10-03
Published