cbcvebase.
CVE-2023-47116
published 2024-01-31

CVE-2023-47116: Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version…

PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.74%
49.9th percentile
Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack.

Affected

4 ranges
VendorProductVersion rangeFixed in
humansignallabel-studio< 1.11.01.11.0
humansignallabel-studio>= 0 < 1.11.01.11.0
humansignallabel-studio>= 0 < 55dd6af4716b92f2bb213fe461d1ffbc380c6a6455dd6af4716b92f2bb213fe461d1ffbc380c6a64
humansignallabel_studio< 1.11.01.11.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.