Label Studio
CVE-2022-36551
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.
AnalysisAI
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. Affected products include: Heartex Label Studio.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.
More in Label Studio
View allLabel Studio is an open source data labeling tool. Rated medium severity (CVSS 6.1), this vulnerability is remotely expl
Label Studio is a multi-type data labeling and annotation tool with standardized output format. Rated high severity (CVS
Label Studio is an open source data labeling tool. Rated high severity (CVSS 8.6), this vulnerability is remotely exploi
Label Studio is a multi-type data labeling and annotation tool. Rated high severity (CVSS 7.6), this vulnerability is re
Label Studio is an open source data labeling tool. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi
### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitize
Stored XSS in Label Studio's custom_hotkeys feature allows authenticated attackers to inject malicious JavaScript that e
Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote w
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today