We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-40570

Datasette 1.0 alpha series leaks names of databases and tables to unauthenticated users



Description

Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4.

Reserved 2023-08-16 | Published 2023-08-25 | Updated 2024-10-02 | Assigner GitHub_M


MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-213: Exposure of Sensitive Information Due to Incompatible Policies

Product status

>= 1.0a0, < 1.0a4
affected

References

github.com/...asette/security/advisories/GHSA-7ch3-7pp7-7cpq

github.com/...ommit/01e0558825b8f7ec17d3b691aa072daf122fcc74

cve.org (CVE-2023-40570)

nvd.nist.gov (CVE-2023-40570)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-40570

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.

© Copyright 2024 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.