CVE-2023-40570

Published: Aug 25, 2023

Modified: Oct 2, 2024

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4.

Vendor	Product	Versions
simonw	datasette	affected `>= 1.0a0, < 1.0a4`

Weaknesses (CWE)

CWE-213

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/simonw/datasette/security/advisories/GHSA-7ch3-7pp7-7cpq

x_refsource_CONFIRM

https://github.com/simonw/datasette/commit/01e0558825b8f7ec17d3b691aa072daf122fcc74

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-40570

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References