Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03Y2gzLTdwcDctN2Nwcc4AA1at
Datasette 1.0 alpha series leaks names of databases and tables to unauthenticated users
Impact
This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords.
The /-/api
API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user.
Patches
Datasette 1.0a4 has a fix for this issue.
Workarounds
To work around this issue, block all traffic to the /-/api
endpoint. This can be done with a proxy such as Apache or NGINX, or by installing the datasette-block plugin and adding the following configuration to your metadata.json
or metadata.yml
file:
{
"plugins": {
"datasette-block": {
"prefixes": ["/-/api"]
}
}
}
This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette /database
hierarchy.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Y2gzLTdwcDctN2Nwcc4AA1at
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-7ch3-7pp7-7cpq, CVE-2023-40570
References:
- https://github.com/simonw/datasette/security/advisories/GHSA-7ch3-7pp7-7cpq
- https://github.com/simonw/datasette/commit/01e0558825b8f7ec17d3b691aa072daf122fcc74
- https://nvd.nist.gov/vuln/detail/CVE-2023-40570
- https://github.com/pypa/advisory-database/tree/main/vulns/datasette/PYSEC-2023-154.yaml
- https://github.com/advisories/GHSA-7ch3-7pp7-7cpq
Blast Radius: 13.0
Affected Packages
pypi:datasette
Dependent packages: 104Dependent repositories: 285
Downloads: 46,612 last month
Affected Version Ranges: >= 1.0a0, < 1.0a4
Fixed in: 1.0a4
All affected versions:
All unaffected versions: 0.22.1, 0.23.1, 0.23.2, 0.25.1, 0.25.2, 0.26.1, 0.26.2, 0.27.1, 0.29.1, 0.29.2, 0.29.3, 0.30.1, 0.30.2, 0.31.1, 0.31.2, 0.37.1, 0.47.1, 0.47.2, 0.47.3, 0.49.1, 0.50.1, 0.50.2, 0.51.1, 0.52.1, 0.52.2, 0.52.3, 0.52.4, 0.52.5, 0.54.1, 0.56.1, 0.57.1, 0.58.1, 0.59.1, 0.59.2, 0.59.3, 0.59.4, 0.60.1, 0.60.2, 0.61.1, 0.63.1, 0.63.2, 0.63.3, 0.64.1, 0.64.2, 0.64.3, 0.64.4, 0.64.5, 0.64.6