← back
CVE-2022-36551

CVE-2022-36551

EPSS 5.1%
Vexday Risk Score
23Low
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS EPSS 5.1%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
03 Oct 2022Published on NVD
28 Mar 2023Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.
Affected products
n/a · n/a
public PoCs found2
cve_referencepacketstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.htmlunverifiedexploitdbwww.exploit-db.com/exploits/51109unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://heartex.comhttp://labelstud.iohttp://packetstormsecurity.com/files/171548/Label-Studio-1.5.0-Server-Side-Request-Forgery.htmlhttps://github.com/heartexlabs/label-studio/pull/2840