Name of the Vulnerable Software and Affected Versions Label Studio versions introduced at Mar 31, 2021, and earlier, specifically those deployed using the default nginx files.

Description The issue resides in the Nginx config file, specifically with the location /static directive not having a slash / at the end. This allows an attacker to use a single path traversal payload to traverse one directory above, exposing files on /label studio/core/. The vulnerability is due to a misconfiguration that was originally presented by Orange Tsai in 2018. It can be exploited by making a request to the traversed folder, potentially leaking Django secret keys and other sensitive information.

Recommendations For Label Studio instances deployed using the default nginx files introduced at Mar 31, 2021, and earlier, update the Nginx config file to include a slash / at the end of the location /static directive, for example:

location /static/ {
  ...
}

This will prevent the path traversal vulnerability and protect against the exposure of sensitive files.