CVE-2023-47117: 
Python vulnerability analysis and mitigation

Label Studio, an open source data labeling tool, was found to contain a vulnerability (CVE-2023-47117) in versions prior to 1.9.2post0. The vulnerability allows users to insecurely set filters for filtering tasks, enabling attackers to construct filter chains to access sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM) (GitHub Advisory).

The vulnerability exists in the application's task filtering functionality where unsanitized values are used for constructing filters in Django's ORM queries. An attacker can exploit this by creating specially crafted filter chains, such as 'filter:tasks:updatedby_activeorganization_activeusers_password', to leak sensitive information character by character. The vulnerability is compounded by a hardcoded secret key that could be used to forge session tokens of any user by exploiting the ORM Leak to obtain password hashes. The issue has been assigned a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

This vulnerability can be exploited to completely compromise the confidentiality of highly sensitive account information, particularly account password hashes. In versions ≤1.8.1, when combined with the hardcoded SECRET_KEY, attackers could forge session tokens for any user on Label Studio, potentially compromising both system integrity and availability (GitHub Advisory).

The vulnerability has been patched in version 1.9.2post0 with commit f931d9d129. The fix includes proper validation of filter values against an allowlist before performing queries. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory, Patch).