Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc0aHYtcWpqcS1oN2c1
datasette-graphql leaks details of the schema of private database files
Impact
When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents.
Patches
Patched in version 1.2.
Workarounds
This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql plugin installed is available on the public internet. Uninstalling the datasette-graphql plugin or preventing public access to the instance can workaround this issue.
For more information
If you have any questions or comments about this advisory:
- Open an issue in datasette-graphql
- Contact @simonw by Twitter direct message
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc0aHYtcWpqcS1oN2c1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-74hv-qjjq-h7g5
References:
- https://github.com/simonw/datasette-graphql/security/advisories/GHSA-74hv-qjjq-h7g5
- https://pypi.org/project/datasette-graphql/
- https://github.com/advisories/GHSA-74hv-qjjq-h7g5
Blast Radius: 0.0
Affected Packages
pypi:datasette-graphql
Dependent packages: 0Dependent repositories: 16
Downloads: 3,702 last month
Affected Version Ranges: < 1.2
Fixed in: 1.2
All affected versions: 0.12.1, 0.12.2, 0.12.3, 1.0.1
All unaffected versions: 1.2.1, 1.3.1, 2.0.1, 2.0.2, 2.1.1, 2.1.2