Arbitrary Code Execution

Affecting label-studio package, versions <0.9.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

label-studio is a Data Labeling Tool that is backend agnostic and can be embedded into your applications

Affected versions of this package are vulnerable to Arbitrary Code Execution. YAML deserialization attack can happen due to unsafe loading.

Remediation

Upgrade label-studio to version 0.9.1 or higher.

References

CVSS Score

4.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
huntr-helper
CWE
CWE-94
Snyk ID
SNYK-JS-LABELSTUDIO-1075517
Disclosed
17 Feb, 2021
Published
17 Feb, 2021