CVE-2023-47117
published 2023-11-13CVE-2023-47117: Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set…
PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.06%
89.4th percentile
Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. In addition, Label Studio had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes. This vulnerability has been addressed in commit `f931d9d129` which is included in the 1.9.2post0 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| humansignal | label-studio | < 1.9.2post0 | 1.9.2post0 |
| humansignal | label-studio | >= 0 < f931d9d129002f54a495995774ce7384174cef5c | f931d9d129002f54a495995774ce7384174cef5c |
| humansignal | label-studio | >= 0 < 1.9.2 | 1.9.2 |
| humansignal | label-studio | >= 0 < 1.9.2.post0 | 1.9.2.post0 |
| humansignal | label_studio | < 1.9.2 | 1.9.2 |
| humansignal | label_studio | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for PATCH requests to /api/dm/views/ with 'interaction=filter' query parameter containing ORM traversal filter keys such as 'filter:tasks:updated_by__active_organization__active_users__password' in the JSON body — this is the exploit payload for leaking password hashes character-by-character. ↗
- →Detect JSON bodies in PATCH /api/dm/views requests containing deeply nested Django ORM filter traversal paths (double-underscore chaining) targeting user credential fields, e.g. 'active_organization__active_users__password'. ↗
- →Responses to /api/tasks with 'interaction=filter' that contain 'completed_at', 'file_upload', and 'annotators' fields confirm successful exploitation of the ORM leak. ↗
- →Label Studio instances can be fingerprinted on Shodan using favicon hash -1649949475 to identify exposed targets. ↗
- →The vulnerability is exploitable by authenticated users; monitor for repeated PATCH requests to /api/dm/views/ with varying regex values (single character increments) as a sign of character-by-character enumeration of password hashes. ↗
- →Label Studio had a hard-coded secret key; forged session tokens may be used post-hash-leak. Monitor for session tokens belonging to high-privilege accounts appearing from unexpected IPs. ↗
- ·The exploit requires valid credentials (authenticated access) to reach the vulnerable PATCH /api/dm/views/ endpoint; unauthenticated exploitation is only possible if the hard-coded secret key is used to forge a session token after hash leakage. ↗
- ·The fix is included in commit f931d9d129 and release 1.9.2post0; all prior versions are affected. Detection rules should scope to Label Studio versions prior to 1.9.2post0. ↗
- ·The Nuclei template requires the tester to supply task ID and project ID variables ({{task}} and {{project}}); automated scanning without these values will not produce valid exploit requests. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
ghsa·2023-11-14
CVE-2023-47117 [HIGH] CWE-200 Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
# Introduction
This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to `1.9.2post0` and was tested on version `1.8.2`.
# Overview
In all current versions of [Label Studio](https://github.com/HumanSignal/label-studio), the application allows users to insecurely set filters for filtering tasks. An attacker can construct a *filter chain* to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak the
OSV
Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
osv·2023-11-14
CVE-2023-47117 [HIGH] Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
# Introduction
This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to `1.9.2post0` and was tested on version `1.8.2`.
# Overview
In all current versions of [Label Studio](https://github.com/HumanSignal/label-studio), the application allows users to insecurely set filters for filtering tasks. An attacker can construct a *filter chain* to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak the
OSV
CVE-2023-47117: Label Studio is an open source data labeling tool
osv·2023-11-13
CVE-2023-47117 CVE-2023-47117: Label Studio is an open source data labeling tool
Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. In addition, Label Studio had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes. This vulnerability has been addressed in commit `f931d9d129` which is included in the 1.9.2post0 release. Users
No detection rules found.
Nuclei
Label Studio - Sensitive Information Exposure
nuclei·CVSS 7.5
CVE-2023-47117 [HIGH] Label Studio - Sensitive Information Exposure
Label Studio - Sensitive Information Exposure
An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
Template:
id: CVE-2023-47117
info:
name: Label Studio - Sensitive Information Exposure
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields
No writeups or analysis indexed.
https://github.com/HumanSignal/label-studio/commit/f931d9d129002f54a495995774ce7384174cef5chttps://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qwhttps://github.com/HumanSignal/label-studio/commit/f931d9d129002f54a495995774ce7384174cef5chttps://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw
2023-11-13
Published