GHSA-pc6f-259w-w3j6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pc6f-259w-w3j6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-pc6f-259w-w3j6/GHSA-pc6f-259w-w3j6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pc6f-259w-w3j6
- Aliases
- Published
- 2022-10-04T00:00:25Z
- Modified
- 2024-09-27T21:22:43.216977Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
- Details
-
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. This issue is fixed in version 1.6.0.
- Database specific
{ "nvd_published_at": "2022-10-03T12:15:00Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-10-04T21:57:17Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-36551
- https://github.com/heartexlabs/label-studio/pull/2840
- https://github.com/heartexlabs/label-studio/commit/501142cb815ac964b0c600c491885b67386870c2
- https://github.com/heartexlabs/label-studio
- https://github.com/heartexlabs/label-studio/releases/tag/1.6.0
- https://github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2022-300.yaml
- http://heartex.com
- http://labelstud.io
- http://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.html
Affected packages
PyPI / label-studio
Package
- Name
- label-studio
- View open source insights on deps.dev
- Purl
- pkg:pypi/label-studio
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.6.0
Affected versions
0.*
0.4.1
0.4.2
0.4.3
0.4.4
0.4.4.post1
0.4.4.post2
0.4.5
0.4.6
0.4.6.post1
0.4.6.post2
0.4.7
0.4.8
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.4.post0
0.7.4.post1
0.7.5.post1
0.7.5.post2
0.8.0
0.8.0.post0
0.8.1
0.8.1.post0
0.8.2
0.8.2.post0
0.9.0
0.9.0.post2
0.9.0.post3
0.9.0.post4
0.9.0.post5
0.9.1
0.9.1.post0
0.9.1.post1
0.9.1.post2
1.*
1.0.0
1.0.0.post0
1.0.0.post1
1.0.0.post2
1.0.0.post3
1.0.1
1.0.2
1.0.2.post0
1.1.0rc0
1.1.0
1.1.1
1.2
1.3
1.3.post0
1.3.post1
1.4
1.4.1
1.4.1.post0
1.4.1.post1
1.5.0
1.5.0.post0