Critical severityNVD Advisory· Published Nov 9, 2023· Updated Sep 3, 2024
Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens
CVE-2023-43791
Description
Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before 1.8.2, where a patch was introduced.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
label-studioPyPI | < 1.8.2 | 1.8.2 |
Affected products
2- Range: <= 1.8.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-f475-x83m-rx5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43791ghsaADVISORY
- github.com/HumanSignal/label-studio/commit/3d06c5131c15600621e08b06f07d976887cde81bghsax_refsource_MISCWEB
- github.com/HumanSignal/label-studio/pull/4690ghsax_refsource_MISCWEB
- github.com/HumanSignal/label-studio/releases/tag/1.8.2ghsax_refsource_MISCWEB
- github.com/HumanSignal/label-studio/security/advisories/GHSA-f475-x83m-rx5mghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2023-274.yamlghsaWEB
News mentions
0No linked articles in our index yet.