CVE-2023-47117

Name of the Vulnerable Software and Affected Versions Label Studio versions prior to 1.9.2post0

Description The vulnerability allows attackers to construct a filter chain and exploit Django's Object Relational Mapper (ORM) to leak sensitive fields, including account password hashes, character by character. This is achieved by insecurely setting filters for filtering tasks. Additionally, a hard-coded secret key in Label Studio can be used to forge session tokens of any user by exploiting this vulnerability. The issue affects all versions of Label Studio prior to 1.9.2post0.

Recommendations For Label Studio versions prior to 1.9.2post0, upgrade to version 1.9.2post0 or later to address the vulnerability. As a temporary workaround, consider restricting access to the /api/dm/views/{viewId} API endpoint and the PreparedTaskManager to minimize the risk of exploitation. Avoid using unsanitized values for constructing filters and validate filter values against an allow list before performing any queries.