CVE-2024-23633: Cross-site Scripting Vulnerability on Data Import
(updated )
The following code snippet in Label Studio showed that is a URL passed the SSRF verification checks, the contents of the file would be downloaded using the filename in the URL.
def tasks_from_url(file_upload_ids, project, user, url, could_be_tasks_list):
"""Download file using URL and read tasks from it"""
References
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
- github.com/HumanSignal/label-studio
- github.com/HumanSignal/label-studio/blob/1.9.2.post0/label_studio/data_import/api.py
- github.com/HumanSignal/label-studio/blob/1.9.2.post0/label_studio/data_import/uploader.py
- github.com/HumanSignal/label-studio/security/advisories/GHSA-fq23-g58m-799r
- github.com/advisories/GHSA-fq23-g58m-799r
- github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2024-128.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-23633
Detect and mitigate CVE-2024-23633 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →