CVE-2023-47116
Last modified
CVE-2023-47116 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. EPSS estimates a 0.74% chance of exploitation in the next 30 days.
Description
Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Humansignal | Label Studio | < 1.11.0 |
References
- https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8rExploit, Third Party Advisory
- https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8rExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-47116?
How severe is CVE-2023-47116?
How do I fix CVE-2023-47116?
Are you affected by CVE-2023-47116?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST