Label Studio Users Beware! Critical Vulnerability Allows Account Takeover

CVECVE-2023-43791
CVSScvssV3_1: 9.8
SourceCVE-2023-43791

Label Studio, a popular open source data labeling tool, was found to have a critical vulnerability that could allow attackers to take over any user account.

The vulnerability was related to how user authentication was handled by the backend Django framework. By chaining together an ORM leak vulnerability and privilege escalation, an attacker could trick the system into thinking they were a super administrator even if they only had a regular user account.

This would give the attacker full access to do anything on the platform as if they were the site administrator, such as accessing any user’s data, making changes to projects or labels, or downloading sensitive training datasets. They could even delete entire projects or shut down the platform entirely.

Label Studio has now released version 1.8.2 which patches this vulnerability. All users are highly recommended to upgrade immediately. You should also change your password just to be safe even if you have upgraded, in case your old credentials were compromised.

Always make sure to keep your Label Studio installation up to date with the latest patches. Use strong and unique passwords for all your accounts. Be wary of any suspicious login or authorization requests. Staying on top of security updates is critical to protecting your data and accounts from attackers on the internet.

References