CVE-2023-43791: Hardcoded Django Secret Key Vulnerability in Label Studio
Label Studio is a popular open-source data labeling tool that is used by machine learning teams of all sizes to prepare and improve training data. However, a recent security vulnerability in Label Studio has put users at risk of having their accounts compromised.
The vulnerability, which has been assigned the CVE identifier CVE-2023-43791 and a CVSS score of 9.8, is a hardcoded Django secret key. A secret key is a cryptographic key that is used to sign and verify session tokens. In the context of Label Studio, the secret key is used to ensure that only authorized users can log in to the platform.
It has been revealed that version 1.8.1 of Label Studio harbored a hardcoded Django SECRET_KEY within its application settings. This key, a crucial element in the fortress guarding web application security, is responsible for the sanctity of session tokens.
The Django SECRET_KEY serves as the cryptographer’s seal, ensuring that session tokens remain tamper-proof. In a securely configured environment, the key is a guarded secret, never to be revealed to prying eyes. However, in a shocking oversight, this key was left hardcoded in the open-source code, turning it into a veritable master key for cyber adversaries.
Leveraging the CVE-2023-43791 security bug, an attacker with authenticated access could exploit a concurrent Object Relational Mapper (ORM) Leak vulnerability. This leak, a digital sieve, could allow a nefarious user to extract the password hash of any account. Normally, an impenetrable _auth_user_hash claim in the session token, which is an HMAC hash of the user’s password, would prevent unauthorized session token forgery. Yet, with the hardcoded key and the ORM Leak, an attacker’s path to illicitly clone session tokens for any user lay unobstructed.
This exploit could lead to an alarming escalation of privileges, catapulting a low-level intruder to the zenith of power within the application – a Django Super Administrator.
The developers of Label Studio have already eradicated the hardcoded SECRET_KEY in subsequent releases, starting from version 1.8.2. If you are using Label Studio, it is important to upgrade to a version >=1.8.2 as soon as possible. This version of Label Studio removes the hardcoded secret key and fixes the ORM leak vulnerability.
