@blamejs/exceptd-skills 0.13.107 → 0.13.109

package/data/atlas-ttps.json

@@ -1736,7 +1736,10 @@
     "stix_id": "attack-pattern--ebeed0c7-c5de-5049-8f27-efcae5f88b00",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2022-36551",
       "CVE-2023-43654",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6019",
@@ -1755,6 +1758,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30202",
       "CVE-2025-32444",

package/data/attack-techniques.json

@@ -521,6 +521,7 @@
       "CVE-2020-24363",
       "CVE-2021-32030",
       "CVE-2023-27351",
+      "CVE-2023-43791",
       "CVE-2023-50224",
       "CVE-2024-1709",
       "CVE-2024-54085",
@@ -867,6 +868,7 @@
       "CVE-2021-22681",
       "CVE-2021-26828",
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2022-37055",
       "CVE-2022-40799",
       "CVE-2022-48503",
@@ -877,6 +879,8 @@
       "CVE-2023-3519",
       "CVE-2023-39780",
       "CVE-2023-43654",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-52163",
@@ -927,6 +931,7 @@
       "CVE-2025-24016",
       "CVE-2025-24893",
       "CVE-2025-25257",
+      "CVE-2025-25297",
       "CVE-2025-26399",
       "CVE-2025-27520",
       "CVE-2025-2775",
@@ -1253,6 +1258,7 @@
     "name": "Exploitation for Credential Access",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-43791",
       "CVE-2025-14174"
     ],
     "description_full": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack) Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.",
@@ -1541,6 +1547,7 @@
     "name": "Unsecured Credentials",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-47117",
       "CVE-2025-68664",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER"
@@ -3647,7 +3654,11 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2022-36551",
+      "CVE-2025-25297"
+    ]
   },
   "T1091": {
     "id": "T1091",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.031,
+      "current_rate": 0.030,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -16884,6 +16884,419 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "A malicious MLflow Recipe runs code when executed (CWE-502 unsafe deserialization); no patched version - treat MLflow artifacts as untrusted code."
   },
+  "CVE-2025-25297": {
+    "name": "Label Studio S3 Storage Endpoint Server-Side Request Forgery",
+    "type": "SSRF",
+    "cvss_score": 7.7,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 7.7 (HIGH, PR:L); the GitHub (CNA) advisory rates it 8.6 (HIGH, PR:N - it treats the action as unauthenticated). Label Studio's S3 storage feature does not validate the custom endpoint URL, so an attacker points it at internal services or cloud metadata and the server issues the request, leaking data via the responses (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58): point the S3 storage endpoint at an internal address / cloud-metadata endpoint and the Label Studio server issues the request.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch in an ML data-pipeline platform's S3 storage endpoint.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.16.0.",
+    "affected_versions": [
+      "Label Studio < 1.16.0"
+    ],
+    "vector": "Label Studio's S3 cloud-storage integration accepts a custom S3 endpoint URL without validation. An attacker sets the endpoint to an internal address or cloud-metadata service; the Label Studio server makes the request and returns data from the responses - a server-side request forgery that bypasses network segmentation (CWE-918).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L - network-reachable; requires an account, but lower-privilege users can configure the storage endpoint.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.16.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.16.0 or later. Validate and allowlist destinations for the S3 storage endpoint (block private/link-local/cloud-metadata addresses and file:// schemes), and disable self-registration if not required."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the ML data platform's server-side fetch (S3 storage endpoint) as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the user-supplied URL/endpoint before the server fetches it.",
+      "NIST-800-53-AC-3": "Access enforcement does not constrain who can configure a server-side fetch, and lower-privilege users can set the storage endpoint.",
+      "ISO-27001-2022-A.8.22": "Network segregation is bypassed: the platform fetches attacker-chosen internal URLs server-side.",
+      "NIS2-Art21-network-security": "Network-security measures do not enumerate ML data-platform SSRF as an internal-pivot surface.",
+      "DORA-Art-9": "ICT protection measures do not model server-side request forgery from an ML data platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating server-side fetch destinations in ML data platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1090"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=18 (SSRF - internal reach / data exfil, not direct RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-25297",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Label Studio S3 storage endpoint configured with an internal/private address, cloud-metadata endpoint (169.254.169.254), or file:// URL.",
+        "Outbound requests from the Label Studio server to internal services or metadata endpoints not part of normal operation.",
+        "Label Studio < 1.16.0 with S3 storage configurable by lower-privilege users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58) and NVD CVE-2025-25297 (CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-25297",
+      "https://github.com/advisories/GHSA-m238-fmcw-wh58"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-25297",
+        "url": "https://github.com/advisories/GHSA-m238-fmcw-wh58",
+        "severity": "high",
+        "published_date": "2025-02-14"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-25297",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25297",
+        "severity": "high",
+        "published_date": "2025-02-14"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58, CWE-918) + NVD (CVSS v3.1 7.7; GitHub CNA 8.6). Data-labeling / ML-pipeline platform flaw (Label Studio); introduces the AI data-pipeline import/storage SSRF control NEW-CTRL-105.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio's S3 storage feature does not validate the custom endpoint URL, letting an attacker reach internal services / cloud metadata via the server (CWE-918 SSRF); fixed in 1.16.0."
+  },
+  "CVE-2022-36551": {
+    "name": "Label Studio Data Import Server-Side Request Forgery",
+    "type": "SSRF",
+    "cvss_score": 6.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 6.5 (MEDIUM, PR:L). Label Studio's Data Import module fetches a user-supplied URL without restriction, so an authenticated user (self-registration is enabled by default, so effectively any remote attacker) reads arbitrary files / reaches internal services via the server (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6): point the Data Import URL fetch at an internal address / cloud-metadata endpoint and the Label Studio server issues the request.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch in an ML data-pipeline platform's Data Import URL fetch.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.6.0.",
+    "affected_versions": [
+      "Label Studio < 1.6.0"
+    ],
+    "vector": "Label Studio's Data Import module fetches a user-supplied URL with no destination restriction, so a user (self-registration is on by default, so any remote attacker can obtain an account) supplies file:// or internal URLs and the server reads arbitrary files or reaches internal services - a server-side request forgery (CWE-918).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L - network-reachable; requires an account, but self-registration is on by default.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.6.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.6.0 or later. Validate and allowlist destinations for the Data Import URL fetch (block private/link-local/cloud-metadata addresses and file:// schemes), and disable self-registration if not required."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the ML data platform's server-side fetch (Data Import URL fetch) as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the user-supplied URL/endpoint before the server fetches it.",
+      "NIST-800-53-AC-3": "Access enforcement does not constrain who can configure a server-side fetch, and self-registration lets any remote user reach it.",
+      "ISO-27001-2022-A.8.22": "Network segregation is bypassed: the platform fetches attacker-chosen internal URLs server-side.",
+      "NIS2-Art21-network-security": "Network-security measures do not enumerate ML data-platform SSRF as an internal-pivot surface.",
+      "DORA-Art-9": "ICT protection measures do not model server-side request forgery from an ML data platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating server-side fetch destinations in ML data platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1090"
+    ],
+    "rwep_score": 21,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 16,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 21, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=16 (SSRF - internal reach / data exfil, not direct RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2022-36551",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Label Studio Data Import URL fetch configured with an internal/private address, cloud-metadata endpoint (169.254.169.254), or file:// URL.",
+        "Outbound requests from the Label Studio server to internal services or metadata endpoints not part of normal operation.",
+        "Label Studio < 1.6.0 with self-registration enabled (default) - any remote attacker can obtain an account and reach the import SSRF."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6) and NVD CVE-2022-36551 (CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2022-36551",
+      "https://github.com/advisories/GHSA-pc6f-259w-w3j6"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2022-36551",
+        "url": "https://github.com/advisories/GHSA-pc6f-259w-w3j6",
+        "severity": "high",
+        "published_date": "2022-10-04"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2022-36551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36551",
+        "severity": "medium",
+        "published_date": "2022-10-04"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6, CWE-918) + NVD (CVSS v3.1 6.5). Data-labeling / ML-pipeline platform flaw (Label Studio); introduces the AI data-pipeline import/storage SSRF control NEW-CTRL-105.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio's Data Import fetches user-supplied URLs without restriction (self-registration on by default), letting a remote attacker read files / reach internal services via the server (CWE-918 SSRF); fixed in 1.6.0."
+  },
+  "CVE-2023-47117": {
+    "name": "Label Studio ORM Filter Manipulation Sensitive-Field Disclosure",
+    "type": "Information Disclosure",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "GitHub (CNA) CVSS v3.1 base 7.5 (HIGH, confidentiality-only); NVD has not published its own assessed score. Label Studio lets users set task filters that are passed into a Django ORM query without restriction, so an attacker manipulates the filter to read sensitive fields (including password hashes and tokens) from all user accounts (CWE-200 information exposure).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-6hjj-gq77-j4qw); manipulate the task filter to read password hashes/tokens from all accounts.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-6hjj-gq77-j4qw). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is broken object-level authorization / sensitive-field exposure in an ML data-platform API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.9.2post0.",
+    "affected_versions": [
+      "Label Studio < 1.9.2post0"
+    ],
+    "vector": "Label Studio's task-filter feature passes user-controlled filter expressions into a Django ORM query without restricting which fields can be referenced. An attacker crafts a filter that selects sensitive columns (password hashes, auth tokens) across all user accounts and reads them back - a sensitive-field exposure via ORM manipulation (CWE-200) that supplies the material to forge sessions and impersonate users.",
+    "complexity": "low",
+    "complexity_notes": "GitHub CNA AV:N / AC:L / PR:N - unauthenticated field disclosure.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.9.2post0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.9.2post0 or later. Enforce object-level authorization and serializer field allowlists on the API (never let user-controlled filters or responses expose secrets, tokens, or other users' fields), and rotate any exposed session-signing secrets / credentials."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not constrain which records/fields a user can read - a user-controlled ORM filter reads other accounts' sensitive fields.",
+      "NIST-800-53-SC-28": "Protection of information at rest is insufficient: sensitive fields (password hashes, tokens) are readable through the API and directly usable once leaked.",
+      "ISO-27001-2022-A.5.15": "Access control does not enforce object-level authorization on the ML data-platform API.",
+      "NIS2-Art21-identity-management": "Identity/access measures do not prevent API-level sensitive-field exposure from enabling account impersonation.",
+      "DORA-Art-9": "ICT protection measures do not model API sensitive-field exposure / account takeover of an ML platform as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for object-level authorization on AI data-platform APIs.",
+      "UK-CAF-B4": "System Security objective has no objective for serializer field allowlisting / ORM-filter restriction in ML platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-platform API's object-level authorization and sensitive-field exposure as integrity controls whose failure yields account takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1552"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=18, minus patch_available 15. This is the first half of a Label Studio privilege-escalation chain - the ORM sensitive-field leak (CVE-2023-47117) supplies the material the impersonation flaw (CVE-2023-43791) replays.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-47117",
+    "cwe_refs": [
+      "CWE-200"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Label Studio task-filter requests referencing sensitive columns (password hashes, tokens) or other users' fields.",
+        "API responses returning sensitive fields from accounts other than the requester's.",
+        "Label Studio < 1.9.2post0 with the task-filter API reachable - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-6hjj-gq77-j4qw) and NVD CVE-2023-47117 (CWE-200)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-47117",
+      "https://github.com/advisories/GHSA-6hjj-gq77-j4qw"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-47117",
+        "url": "https://github.com/advisories/GHSA-6hjj-gq77-j4qw",
+        "severity": "high",
+        "published_date": "2023-11-14"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-47117",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47117",
+        "severity": "high",
+        "published_date": "2023-11-14"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-6hjj-gq77-j4qw, CWE-200) + NVD (CVSS v3.1 7.5). Label Studio privilege-escalation chain (47117 ORM leak -> 43791 impersonation); introduces the AI-app API object-authorization / field-exposure control NEW-CTRL-106.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio's task-filter feature passes user input into a Django ORM query unrestricted, leaking sensitive fields (password hashes, tokens) from all accounts (CWE-200); fixed in 1.9.2post0."
+  },
+  "CVE-2023-43791": {
+    "name": "Label Studio Account Impersonation and Privilege Escalation",
+    "type": "Privilege Escalation",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH, PR:L); the GitHub (CNA) advisory rates it 9.8 (CRITICAL, PR:N). Label Studio exposes information that lets an attacker impersonate any account and escalate from a low-privilege user to a Django super administrator - chained with the ORM sensitive-field leak (CVE-2023-47117), the exposed secrets/tokens are used to forge authenticated sessions (CWE-200).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-f475-x83m-rx5m); chain the ORM leak to forge a session and impersonate / escalate to superadmin.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-f475-x83m-rx5m). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is broken object-level authorization / sensitive-field exposure in an ML data-platform API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.8.2.",
+    "affected_versions": [
+      "Label Studio < 1.8.2"
+    ],
+    "vector": "Label Studio exposes sensitive information that, chained with the ORM sensitive-field leak (CVE-2023-47117), lets an attacker impersonate any account and escalate from a low-privilege user to a Django super administrator. The leaked secrets/tokens are used to forge authenticated sessions and take over accounts (CWE-200 leading to broken object-level authorization).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L (GitHub CNA marks PR:N) - a low-privilege account suffices, and the chain reaches Django superadmin.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.8.2 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.8.2 or later. Enforce object-level authorization and serializer field allowlists on the API (never let user-controlled filters or responses expose secrets, tokens, or other users' fields), and rotate any exposed session-signing secrets / credentials."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not constrain which records/fields a user can read - leaked material is replayed to impersonate any account.",
+      "NIST-800-53-SC-28": "Protection of information at rest is insufficient: sensitive fields (password hashes, tokens) are readable through the API and directly usable once leaked.",
+      "ISO-27001-2022-A.5.15": "Access control does not enforce object-level authorization on the ML data-platform API.",
+      "NIS2-Art21-identity-management": "Identity/access measures do not prevent API-level sensitive-field exposure from enabling account impersonation.",
+      "DORA-Art-9": "ICT protection measures do not model API sensitive-field exposure / account takeover of an ML platform as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for object-level authorization on AI data-platform APIs.",
+      "UK-CAF-B4": "System Security objective has no objective for serializer field allowlisting / ORM-filter restriction in ML platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-platform API's object-level authorization and sensitive-field exposure as integrity controls whose failure yields account takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1212"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=24, minus patch_available 15. This is the second half of a Label Studio privilege-escalation chain - the ORM sensitive-field leak (CVE-2023-47117) supplies the material the impersonation flaw (CVE-2023-43791) replays.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-43791",
+    "cwe_refs": [
+      "CWE-200"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Authenticated sessions in Label Studio minted/used for accounts the requester should not control, or sudden escalation to Django superadmin.",
+        "Use of leaked password hashes / tokens to forge or replay Label Studio sessions.",
+        "Label Studio < 1.8.2 reachable by a low-privilege user - the exposed precondition for the privesc chain."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-f475-x83m-rx5m) and NVD CVE-2023-43791 (CWE-200)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-43791",
+      "https://github.com/advisories/GHSA-f475-x83m-rx5m"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-43791",
+        "url": "https://github.com/advisories/GHSA-f475-x83m-rx5m",
+        "severity": "critical",
+        "published_date": "2023-11-09"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-43791",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43791",
+        "severity": "high",
+        "published_date": "2023-11-09"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-f475-x83m-rx5m, CWE-200) + NVD (CVSS v3.1 8.8; GitHub CNA 9.8). Label Studio privilege-escalation chain (47117 ORM leak -> 43791 impersonation); introduces the AI-app API object-authorization / field-exposure control NEW-CTRL-106.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio exposes information enabling account impersonation and escalation to Django superadmin (chained with the ORM leak CVE-2023-47117); CWE-200, fixed in 1.8.2."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -521,6 +521,8 @@
       "webapp-security"
     ],
     "evidence_cves": [
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2024-40635",
       "CVE-2025-31125",
       "CVE-2026-20133",
@@ -1868,10 +1870,12 @@
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-39935",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-6587",
+      "CVE-2025-25297",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [