CVE-2023-40570 : Datasette is an open source multi-tool for exploring and publishing data. This b

Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4.

Published 2023-08-25 01:15:09

Updated 2023-08-31 13:50:51

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-40570

Datasette » Datasette » Version: 1.0 Update Alpha0
cpe:2.3:a:datasette:datasette:1.0:alpha0:*:*:*:*:*:*
Matching versions
Datasette » Datasette » Version: 1.0 Update Alpha1
cpe:2.3:a:datasette:datasette:1.0:alpha1:*:*:*:*:*:*
Matching versions
Datasette » Datasette » Version: 1.0 Update Alpha2
cpe:2.3:a:datasette:datasette:1.0:alpha2:*:*:*:*:*:*
Matching versions
Datasette » Datasette » Version: 1.0 Update Alpha3
cpe:2.3:a:datasette:datasette:1.0:alpha3:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-40570

EPSS FAQ

0.33%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 55 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-40570

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2023-40570

CWE-213 Exposure of Sensitive Information Due to Incompatible Policies

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2023-40570

https://github.com/simonw/datasette/commit/01e0558825b8f7ec17d3b691aa072daf122fcc74

Merge pull request from GHSA-7ch3-7pp7-7cpq · simonw/datasette@01e0558 · GitHub
Patch
https://github.com/simonw/datasette/security/advisories/GHSA-7ch3-7pp7-7cpq

Datasette 1.0 alpha series leaks names of databases and tables to unauthenticated users · Advisory · simonw/datasette · GitHub
Mitigation;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-40570

Products affected by CVE-2023-40570

Exploit prediction scoring system (EPSS) score for CVE-2023-40570

CVSS scores for CVE-2023-40570

CWE ids for CVE-2023-40570

References for CVE-2023-40570