CVE-2023-47116: 
Python vulnerability analysis and mitigation

CVE-2023-47116 affects Label Studio, a popular open source data labeling tool, in all versions prior to 1.11.0. The vulnerability was discovered in August 2023 and publicly disclosed on January 30, 2024. The issue involves a Server-Side Request Forgery (SSRF) protection bypass that could allow attackers to access internal web servers despite having SSRF protections enabled (GitHub Advisory).

The vulnerability exists in Label Studio's SSRF protection mechanism that can be enabled via the SSRF_PROTECTION_ENABLED environment variable. The flaw occurs because the SSRF validation is performed by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be circumvented through either HTTP redirection or a DNS rebinding attack. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The SSRF vulnerability poses a significant risk, particularly in cloud environments where instance credentials are managed by internal web APIs. An attacker can bypass Label Studio's SSRF protections to access internal web servers and partially compromise the confidentiality of those internal servers (GitHub Advisory).

The vulnerability has been patched in Label Studio version 1.11.0. The fix includes enhanced SSRF protection measures with two new environment variables: USER_ADDITIONAL_BANNED_SUBNETS for specifying additional IP addresses or CIDR blocks to ban, and USE_DEFAULT_BANNED_SUBNETS (default: True) for controlling the use of default banned subnets. The patch also includes improved error messages for SSRF protection blocks (Label Studio Release).