GHSA-cpmr-mw4j-99r7: 
Python vulnerability analysis and mitigation

A high severity vulnerability (GHSA-cpmr-mw4j-99r7) was discovered in Label Studio versions <= 1.7.1, patched in version 1.7.2. The vulnerability is a path traversal issue in the Nginx configuration file that allows unauthenticated attackers to read all files in the /label_studio/core/ directory. The vulnerability was published on March 24, 2023, and received a CVSS score of 7.5 (GitHub Advisory).

The vulnerability exists in the Nginx configuration file where the location /static directive lacks a trailing slash. This misconfiguration allows attackers to use path traversal via /static../ to access files one directory above the intended path. The issue affects Label Studio instances deployed using the default nginx files introduced on March 31, 2021. The vulnerability has a CVSS v3.1 score of 7.5 with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability allows unauthorized access to sensitive files, particularly exposing Django secret keys and other potential secrets stored in /labelstudio/core/settings/labelstudio.py. This exposure could lead to security compromises if administrators store sensitive configuration data in these files instead of using environment variables (GitHub Advisory).

The vulnerability was patched in Label Studio version 1.7.2. The fix involves adding a trailing slash to the location /static directive in the Nginx configuration. A secure configuration example would use location /static/ instead of location /static (GitHub Advisory).