CVE-2022-36551

Published: Oct 3, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.

Affected (1)

Products: Heartex: Label Studio

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Heartex Label Studio	Up to 1.5.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (8)

http://heartex.com

Source: cve@mitre.org

Product

http://labelstud.io

Source: cve@mitre.org

Product

http://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.html

Source: cve@mitre.org

https://github.com/heartexlabs/label-studio/pull/2840

Source: cve@mitre.org

PatchThird Party Advisory

http://heartex.com

Source: af854a3a-2127-422b-91ae-364da2661108

Product

http://labelstud.io

Source: af854a3a-2127-422b-91ae-364da2661108

Product

http://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/heartexlabs/label-studio/pull/2840

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.