CVE-2023-47117

Public Exploit
Object Relational Mapper Leak Vulnerability in Filtering Task in Label Studio

Description

Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. In addition, Label Studio had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes. This vulnerability has been addressed in commit `f931d9d129` which is included in the 1.9.2post0 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 65.93% Top 5%
Vendor Advisory github.com
Affected: HumanSignal label-studio
Published at:
Updated at:

References

Link Tags
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw vendor advisory mitigation exploit
https://github.com/HumanSignal/label-studio/commit/f931d9d129002f54a495995774ce7384174cef5c patch

Frequently Asked Questions

What is the severity of CVE-2023-47117?
CVE-2023-47117 has been scored as a high severity vulnerability.
How to fix CVE-2023-47117?
To fix CVE-2023-47117, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-47117 being actively exploited in the wild?
It is possible that CVE-2023-47117 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~66% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-47117?
CVE-2023-47117 affects HumanSignal label-studio.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.