Heartex - Label Studio Community Edition vulnerable to SSRF in the Data Import module
Moderate severity
GitHub Reviewed
Published
Oct 4, 2022
to the GitHub Advisory Database
•
Updated Mar 28, 2023
Description
Published by the National Vulnerability Database
Oct 3, 2022
Published to the GitHub Advisory Database
Oct 4, 2022
Reviewed
Oct 4, 2022
Last updated
Mar 28, 2023
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. This issue is fixed in version 1.6.0.
References