CVE-2022-36551: 
Python vulnerability analysis and mitigation

A Server Side Request Forgery (SSRF) vulnerability was discovered in the Data Import module of Heartex - Label Studio Community Edition versions 1.5.0 and earlier. The vulnerability allows an authenticated user to access arbitrary files on the system. Additionally, since self-registration is enabled by default in these versions, a remote attacker could create a new account and then exploit the SSRF (NVD).

The vulnerability exists in the Data Import functionality where users could use the file:// URL schema (e.g., file:///etc/passwd) to access local files on the running system. When submitting such a URL, Label Studio would fetch the local file and add it to the project, making it accessible in the /data/uploads folder. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows authenticated users to access arbitrary files on the system, potentially exposing sensitive information including environment variables and system files. The impact is heightened by the fact that self-registration is enabled by default, allowing attackers to easily gain the necessary authentication to exploit the vulnerability (NVD).

The vulnerability has been fixed by adding validation to prevent the use of file:// URLs for importing local files. Instead, users are recommended to use the Local Storage functionality for file access on hard drives, which provides a more controllable and secure way to access local files (GitHub PR).