High severityNVD Advisory· Published Oct 3, 2022· Updated Aug 3, 2024
CVE-2022-36551
CVE-2022-36551
Description
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
label-studioPyPI | < 1.6.0 | 1.6.0 |
Affected products
2- Heartex/Label Studio Community Editiondescription
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-pc6f-259w-w3j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36551ghsaADVISORY
- heartex.comghsaWEB
- labelstud.ioghsaWEB
- packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.htmlghsaWEB
- github.com/heartexlabs/label-studio/commit/501142cb815ac964b0c600c491885b67386870c2ghsaWEB
- github.com/heartexlabs/label-studio/pull/2840ghsaWEB
- github.com/heartexlabs/label-studio/releases/tag/1.6.0ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2022-300.yamlghsaWEB
News mentions
0No linked articles in our index yet.