Home > Vulnerability Database > CVE-2022-32179

Mend.io Vulnerability Database

CVE-2022-32179

Date: October 29, 2022

Overview

In the Label-Studio application, v1.0.0 to v1.5.0post0, are vulnerable against blind SSRF. The “Import Data” feature allows importing data from publicly available URLs and does not enforce proper filtering of requests performed internally. This can be abused by authenticated attackers to send internal requests to the server.

Details

A Blind Server Side Request Forgery (blind SSRF) in the Data Import module in Heartex - Label Studio. allows an authenticated user to access arbitrary files on the system. The “Import Data” feature allows importing data from publicly available URLs and does not enforce proper filtering of requests performed internally.

PoC Details

1. Login as owner@yopmail.com:Owner@12 in browser by visiting URL http://192.168.2.179:8080/
2. Go to create project and navigate to “Data Import” tab.
3. Start a python server by running the below command in host machine.
python3 -m http.server 9000
4. Enter the python server URL (http://0.0.0.0:9000/ssrf.txt) in the Dataset URL field and click on “Add URL” and save.
5. We see that the internal file gets uploaded and we receive a request on python server as well.

Affected Environments

Label-Studio versions v1.0.0 through v1.5.0post0

Prevention

Upgrade to Label-Studio version 1.6.0

Language: Python

Good to know:

6.5

Server-Side Request Forgery (SSRF)

CWE-918

Upgrade Version

Upgrade to version label-studio - 1.6.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	Network
Attack Complexity (AC):	Low
Privileges Required (PR):	Low
User Interaction (UI):	None
Scope (S):	Unchanged
Confidentiality (C):	High
Integrity (I):	None
Availability (A):	None

Related Resources (3)

Url: https://github.com/heartexlabs/label-studio/pull/2450

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-32179

Url: https://www.mend.io/vulnerability-database/CVE-2022-32179