Vulnerability Description
Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Datasette | Datasette | 1.0 |
Related Weaknesses (CWE)
References
- https://github.com/simonw/datasette/commit/01e0558825b8f7ec17d3b691aa072daf122fcPatch
- https://github.com/simonw/datasette/security/advisories/GHSA-7ch3-7pp7-7cpqMitigationVendor Advisory
- https://github.com/simonw/datasette/commit/01e0558825b8f7ec17d3b691aa072daf122fcPatch
- https://github.com/simonw/datasette/security/advisories/GHSA-7ch3-7pp7-7cpqMitigationVendor Advisory
FAQ
What is CVE-2023-40570?
CVE-2023-40570 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible lo...
How severe is CVE-2023-40570?
CVE-2023-40570 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40570?
Check the references section above for vendor advisories and patch information. Affected products include: Datasette Datasette.