Vulnerability Description
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Heartex | Label Studio | <= 1.5.0 |
Related Weaknesses (CWE)
References
- http://heartex.comProduct
- http://labelstud.ioProduct
- http://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Reque
- https://github.com/heartexlabs/label-studio/pull/2840PatchThird Party Advisory
- http://heartex.comProduct
- http://labelstud.ioProduct
- http://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Reque
- https://github.com/heartexlabs/label-studio/pull/2840PatchThird Party Advisory
FAQ
What is CVE-2022-36551?
CVE-2022-36551 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the syst...
How severe is CVE-2022-36551?
CVE-2022-36551 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-36551?
Check the references section above for vendor advisories and patch information. Affected products include: Heartex Label Studio.