Headline
CVE-2022-36551: Data Labeling Platform for Machine Learning — Heartex
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.
Power up your
data labeling team
Data labeling is a team sport. Data scientists, subject matter experts, engineers, operations, and annotators must work collaboratively to ensure quality results and an efficient process.
Book a 15-min demo
You’ll be talking with Michael,
co-founder of Heartex
Related news
Label Studio versions 1.5.0 and below suffer from a server-side request forgery vulnerability.
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. This issue is fixed in version 1.6.0.