CVE-2023-47117: Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
(updated )
The following code snippet from the ViewSetSerializer in label_studio/data_manager/serializers.py insecurely creates Filter objects from a JSON POST request to the /api/dm/views/{viewId} API endpoint.
@staticmethod
def _create_filters(filter_group, filters_data):
filter_index = 0
for filter_data in filters_data:
filter_data["index"] = filter_index
filter_group.filters.add(Filter.objects.create(**filter_data))
filter_index += 1
These Filter objects are then applied in the TaskQuerySet in label_studio/data_manager/managers.py.
class TaskQuerySet(models.QuerySet):
def prepared(self, prepare_params=None):
""" Apply filters, ordering and selected items to queryset
:param prepare_params: prepare params with project, filters, orderings, etc
:return: ordered and filtered queryset
"""
from projects.models import Project
queryset = self
if prepare_params is None:
return queryset
project = Project.objects.get(pk=prepare_params.project)
request = prepare_params.request
queryset = apply_filters(queryset, prepare_params.filters, project, request) <1>
queryset = apply_ordering(queryset, prepare_params.ordering, project, request, view_data=prepare_params.data)
if not prepare_params.selectedItems:
return queryset
References
- github.com/HumanSignal/label-studio
- github.com/HumanSignal/label-studio/commit/f931d9d129002f54a495995774ce7384174cef5c
- github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw
- github.com/advisories/GHSA-6hjj-gq77-j4qw
- github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2023-275.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-47117
Detect and mitigate CVE-2023-47117 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →