GHSA-pc6f-259w-w3j6
- Source
- https://github.com/advisories/GHSA-pc6f-259w-w3j6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-pc6f-259w-w3j6/GHSA-pc6f-259w-w3j6.json
- Aliases
- Published
- 2022-10-04T00:00:25Z
- Modified
- 2023-11-08T04:10:03.128023Z
- Details
-
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. This issue is fixed in version 1.6.0.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-36551
- https://github.com/heartexlabs/label-studio/pull/2840
- https://github.com/heartexlabs/label-studio/commit/501142cb815ac964b0c600c491885b67386870c2
- https://github.com/heartexlabs/label-studio
- https://github.com/heartexlabs/label-studio/releases/tag/1.6.0
- https://github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2022-300.yaml
- http://heartex.com
- http://labelstud.io
- http://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.html
Affected packages
PyPI / label-studio
Package
- Name
- label-studio
Affected versions
0.*
0.4.0rc1
0.4.0rc2
0.4.0rc3
0.4.0rc4
0.4.0rc5
0.4.0rc6
0.4.0rc7
0.4.0rc8
0.4.1
0.4.2
0.4.3
0.4.4
0.4.4.post1
0.4.4.post2
0.4.5
0.4.6
0.4.6.post1
0.4.6.post2
0.4.7rc1
0.4.7rc2
0.4.7
0.4.8
0.5.0rc1
0.5.0
0.5.1
0.6.0rc1
0.6.0
0.6.1rc0
0.6.1
0.7.0rc0
0.7.0rc1
0.7.0rc2
0.7.0
0.7.1
0.7.2rc0
0.7.2rc1
0.7.2rc2
0.7.2rc3
0.7.2
0.7.3rc0
0.7.3rc1
0.7.3rc2
0.7.3rc3
0.7.3
0.7.4rc0
0.7.4rc1
0.7.4rc2
0.7.4rc3
0.7.4rc4
0.7.4
0.7.4.post0
0.7.4.post1
0.7.5rc0
0.7.5rc1
0.7.5rc2
0.7.5rc3
0.7.5rc4
0.7.5rc5
0.7.5rc6
0.7.5.post1
0.7.5.post2
0.8.0
0.8.0.post0
0.8.1rc0
0.8.1
0.8.1.post0
0.8.2
0.8.2.post0
0.9.0rc1
0.9.0rc2
0.9.0rc3
0.9.0rc4
0.9.0rc5
0.9.0
0.9.0.post2
0.9.0.post3
0.9.0.post4
0.9.0.post5
0.9.1rc0
0.9.1
0.9.1.post0
0.9.1.post1
0.9.1.post2
1.*
1.0.0rc0
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0rc4
1.0.0rc5
1.0.0rc6
1.0.0rc7
1.0.0rc8
1.0.0
1.0.0.post0
1.0.0.post1
1.0.0.post2
1.0.0.post3
1.0.1rc0
1.0.1rc1
1.0.1
1.0.2rc0
1.0.2rc1
1.0.2rc3
1.0.2
1.0.2.post0
1.1.0rc0
1.1.0rc1
1.1.0rc2
1.1.0
1.1.1rc0
1.1.1
1.2rc0
1.2rc1
1.2rc2
1.2rc3
1.2
1.3rc0
1.3rc1
1.3rc2
1.3rc3
1.3rc4
1.3
1.3.post0
1.3.post1
1.4rc0
1.4rc1
1.4rc2
1.4rc3
1.4rc5
1.4rc6
1.4
1.4.1rc0
1.4.1rc1
1.4.1rc2
1.4.1rc3
1.4.1rc4
1.4.1rc5
1.4.1
1.4.1.post0
1.4.1.post1
1.4.2rc0
1.5.0rc0
1.5.0rc1
1.5.0rc2
1.5.0rc3
1.5.0rc4
1.5.0rc5
1.5.0rc6
1.5.0rc7
1.5.0rc8
1.5.0rc9
1.5.0rc10
1.5.0rc11
1.5.0rc12
1.5.0
1.5.0.post0
1.6.0rc1
1.6.0rc2
1.6.0rc3
1.6.0rc4
1.6.0rc5