Lucene search

[email protected]NVD:CVE-2023-43791

HistoryNov 09, 2023 - 3:15 p.m.

CVE-2023-43791

2023-11-0915:15:08

CWE-200

[email protected]

web.nvd.nist.gov

label studio

orm leak

privilege escalation

django super administrator

vulnerability

version 1.8.2

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

20.5%

JSON

Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before 1.8.2, where a patch was introduced.

Affected configurations

Nvd

Node

humansignallabel_studioRange<1.8.2

VendorProductVersionCPE
humansignallabel_studio*cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
humansignal	label_studio	*	cpe:2.3:a:humansignal:label_studio::::::::

References

github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b

github.com/HumanSignal/label-studio/pull/4690

github.com/HumanSignal/label-studio/releases/tag/1.8.2

github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

20.5%

JSON

Related for NVD:CVE-2023-43791

prion1 cve1 veracode1 osv2 cvelist1 vulnrichment1 github1