CVE-2023-43791
Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens
9.8
CRITICAL
CVSS 3.1
EPSS 0.82%
Description
Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.
How to fix CVE-2023-43791
To remediate CVE-2023-43791, upgrade the affected package to a fixed version below.
- —upgrade to 1.8.2 or later
- —upgrade to 3d06c5131c15600621e08b06f07d976887cde81b or later
Is CVE-2023-43791 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.8.2
- from 0, < 3d06c5131c15600621e08b06f07d976887cde81b | from 0, < 1.8.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |