CVE-2023-43791

Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens in pypi/label-studio

Identifiers

GHSA-f475-x83m-rx5m, CVE-2023-43791

Package Slug

pypi/label-studio

Vulnerability

Label Studio has Hardcoded Django SECRET_KEY that can be Abused to Forge Session Tokens

Description

Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before 1.8.2, where a patch was introduced.

Affected Versions

All versions up to 1.8.1

Solution

Upgrade to version 1.8.2 or above.

Last Modified

2023-11-10

source