PYSEC-2023-274
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/label-studio/PYSEC-2023-274.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2023-274
- Aliases
- Published
- 2023-11-09T15:15:00Z
- Modified
- 2024-11-21T14:57:06.134831Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before
1.8.2, where a patch was introduced. - References
Affected packages
PyPI / label-studio
Package
- Name
- label-studio
- View open source insights on deps.dev
- Purl
- pkg:pypi/label-studio
Affected ranges
- Type
- GIT
- Repo
- https://github.com/HumanSignal/label-studio
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.8.2
Affected versions
0.*
0.4.1
0.4.2
0.4.3
0.4.4
0.4.4.post1
0.4.4.post2
0.4.5
0.4.6
0.4.6.post1
0.4.6.post2
0.4.7
0.4.8
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.4.post0
0.7.4.post1
0.7.5.post1
0.7.5.post2
0.8.0
0.8.0.post0
0.8.1
0.8.1.post0
0.8.2
0.8.2.post0
0.9.0
0.9.0.post2
0.9.0.post3
0.9.0.post4
0.9.0.post5
0.9.1
0.9.1.post0
0.9.1.post1
0.9.1.post2
1.*
1.0.0
1.0.0.post0
1.0.0.post1
1.0.0.post2
1.0.0.post3
1.0.1
1.0.2
1.0.2.post0
1.1.0rc0
1.1.0
1.1.1
1.2
1.3
1.3.post0
1.3.post1
1.4
1.4.1
1.4.1.post0
1.4.1.post1
1.5.0
1.5.0.post0
1.6.0
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1