CVE-2023-47116

Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64	Patch
https://github.com/HumanSignal/label-studio/releases/tag/1.11.0	Release Notes
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*

History

09 Feb 2024, 15:37

Type	Values Removed	Values Added
First Time		Humansignal Humansignal label Studio
CPE		cpe:2.3:a:humansignal:label_studio::::::::
References	~~() https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64 -~~	() https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64 - Patch
References	~~() https://github.com/HumanSignal/label-studio/releases/tag/1.11.0 -~~	() https://github.com/HumanSignal/label-studio/releases/tag/1.11.0 - Release Notes
References	~~() https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r -~~	() https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r - Exploit, Third Party Advisory

31 Jan 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-31 17:15

Updated : 2024-02-09 15:37

NVD link : CVE-2023-47116

Mitre link : CVE-2023-47116

CVE.ORG link : CVE-2023-47116

JSON object : View

Products Affected

humansignal

label_studio

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2023-47116", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-01-31T17:15:13.370", "references": [{"url": "https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/HumanSignal/label-studio/releases/tag/1.11.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack."}, {"lang": "es", "value": "Label Studio es una popular herramienta de etiquetado de datos de c\u00f3digo abierto. La vulnerabilidad afecta a todas las versiones de Label Studio anteriores a la 1.11.0 y se prob\u00f3 en la versi\u00f3n 1.8.2. Las protecciones SSRF de Label Studio que se pueden habilitar configurando la variable de entorno `SSRF_PROTECTION_ENABLED` se pueden omitir para acceder a los servidores web internos. Esto se debe a que la validaci\u00f3n SSRF actual se realiza ejecutando una \u00fanica b\u00fasqueda de DNS para verificar que la direcci\u00f3n IP no est\u00e9 en un rango de subred excluido. Esta protecci\u00f3n se puede omitir utilizando la redirecci\u00f3n HTTP o realizando un ataque de vinculaci\u00f3n de DNS."}], "lastModified": "2024-02-09T15:37:21.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27567917-A7FB-4767-B9F6-6C8D422D62E7", "versionEndExcluding": "1.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}