CVE-2023-40570

2023-08-2501:15:09

CWE-213

[email protected]

web.nvd.nist.gov

2409

datasette

cve-2023-40570

security vulnerability

api explorer

authentication

data publication

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.7%

JSON

Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The /-/api API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette /database hierarchy. This issue is patched in version 1.0a4.

Affected configurations

Vulners

NVD

Node

simonwdatasetteRange1.0a0–1.0a4

CPENameOperatorVersion
datasette:datasettedatasetteeq1.0

CPE	Name	Operator	Version
datasette:datasette	datasette	eq	1.0

CNA Affected

[
  {
    "vendor": "simonw",
    "product": "datasette",
    "versions": [
      {
        "version": ">= 1.0a0, < 1.0a4",
        "status": "affected"
      }
    ]
  }
]