PT-2024-28848 · Doccano · Doccano
Gian2Dchris
·
Published
2024-09-23
·
Updated
2024-09-26
·
CVE-2024-40441
CVSS v3.1
6.6
Medium
| Vector | AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Doccano Open source annotation tools for machine learning practitioners version 1.8.4
Doccano Auto Labeling Pipeline module to annotate a document automatically version 0.1.23
Description
The issue allows a remote attacker to escalate privileges via the
model attribs parameter. This can be exploited through argument manipulation, posing a risk of remote attack.Recommendations
For Doccano Open source annotation tools for machine learning practitioners version 1.8.4, urgently upgrade the affected component to mitigate the risk.
For Doccano Auto Labeling Pipeline module to annotate a document automatically version 0.1.23, urgently upgrade the affected component to mitigate the risk.
As a temporary workaround, consider restricting access to the
model attribs parameter until a patch is available.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Doccano