CVE-2023-47116

Advisory

Label-studio 1.11.0 addresses the CVE-2023-47116 by introducing more exhaustive IP validation for Server Side Request Forgery (SSRF) defenses. This includes banning all IPs within reserved blocks, for both IPv4 and IPv6, by default. The system also allows users to ban additional blocks using USER_ADDITIONAL_BANNED_SUBNETS, or to specify their full list of banned IP blocks themselves using USE_DEFAULT_BANNED_SUBNETS. By default, USE_DEFAULT_BANNED_SUBNETS is set to True. Additionally, the error message has been made more informative when SSRF protection blocks an upload.
https://github.com/HumanSignal/label-studio/pull/5316

Affected package

Affected versions

Fixed versions

Vulnerability changelog

🌟 What's New

🎉 New Features

Consolidated Label Studio Codebase

This release introduces a simplified Label Studio repository structure.

Previously, the Label Studio frontend and Data Manager codebases were each located in a separate repository: [label-studio-frontend](https://github.com/HumanSignal/label-studio-frontend) and [dm2](https://github.com/HumanSignal/dm2). Starting with this release, the Label Studio Frontend and Data Manager code will be updated and maintained in the main [label-studio](https://github.com/HumanSignal/label-studio/tree/develop) repository.

The Label Studio Frontend code is now located in the label-studio repository under **`web/libs/editor`,** and the Data Manager code can be found under **`web/libs/datamanager`.** For more information, see our [contributing guide](https://github.com/HumanSignal/label-studio/blob/develop/CONTRIBUTING.md#code-organization).

This consolidated codebase has many benefits, including streamlined and simplified workflows, increased efficiency when performing cross-component changes, and improved navigation. Most importantly, a unified codebase will make it easier for our Open Source community to navigate and understand the Label Studio code architecture, lowering the barrier to entry for new contributors. ([5154](https://github.com/HumanSignal/label-studio/pull/5154))

🔐 Security

- This release includes several measures to increase SSRF protection (5316), which address [`CVE-2023-47116`](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r) (https://github.com/HumanSignal/label-studio/pull/5316):
- When `SSRF_PROTECTION_ENABLED` is set to `true` (note that it defaults to `false`), our new default is to ban [all IPs within reserved blocks](https://en.wikipedia.org/wiki/Reserved_IP_addresses), for both IPv4 and IPv6.
- We are introducing two new environment variables, to be used in conjunction with `SSRF_PROTECTION_ENABLED=true`:
`USER_ADDITIONAL_BANNED_SUBNETS` — Use this to specify additional IP addresses or CIDR blocks to ban from server-side requests (e.g. the URL-based file uploader).
`USE_DEFAULT_BANNED_SUBNETS` — This is set to `True` by default. If you would like to have full control over banned subnets, you can set this to `False` and use `USER_ADDITIONAL_BANNED_SUBNETS` to specify all the IP addresses / CIDR blocks you’d like to disallow instead.
- We have also improved our error messages to make it clearer when an action is being blocked due to SSRF protections.
- Implemented comprehensive HTML sanitization to safeguard against vulnerabilities and ensure a secure user experience. ([5232](https://github.com/HumanSignal/label-studio/pull/5232))
- Addressed several vulnerabilities found in the npm-axios package. ([5229](https://github.com/HumanSignal/label-studio/pull/5229))

🐞 Bug Fixes

- Fixed an issue where Label Studio crashed when configuring multiple hotkeys using the `hotkey=","` format. ([5240](https://github.com/HumanSignal/label-studio/pull/5240))
- Fixed an issue where credential validation was failing in the Label Studio interface for cloud storages configured using SDK. ([5228](https://github.com/HumanSignal/label-studio/pull/5228))
- Fixed an issue where cancelled and updated annotations were not recalculating `is_labeled` and other counters. ([4472](https://github.com/HumanSignal/label-studio/pull/4472))
- Fixed an issue where annotation drafts were not changing when switching to view all mode. ([5141](https://github.com/HumanSignal/label-studio/pull/5141))
- Fixed an issue where users would encounter an error when using the **Storage filename** filter in the Data Manager. ([5289](https://github.com/HumanSignal/label-studio/pull/5289))
- Fixed an issue where users were unable to use the **View all annotations** option when the project included images that had an empty URL. ([5245](https://github.com/HumanSignal/label-studio/pull/5245))
- Fixed an issue where relations were not displayed if they were added by a user while reviewing a task. ([5140](https://github.com/HumanSignal/label-studio/pull/5140))
- Fixed an issue where users were seeing the Comments tab (an Enterprise-only feature) when resizing their screen. ([5230](https://github.com/HumanSignal/label-studio/pull/5230))

🤩 Contributors

- juliosgarbi
- jombooth
- Gondragos
- hlomzik
- KonstantinKorotaev
- makseq
- Travis1282

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47116