CVE-2023-40570

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-40570

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-40570.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-40570

Aliases

Published

2023-08-25T00:18:09.134Z

Modified

2025-11-29T14:34:38.661047Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Datasette 1.0 alpha series leaks names of databases and tables to unauthenticated users

Details

Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The /-/api API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette /database hierarchy. This issue is patched in version 1.0a4.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40570.json",
    "cwe_ids": [
        "CWE-213"
    ]
}

References

Affected packages

Git / github.com/simonw/datasette

Affected ranges

Type: GIT
Repo: https://github.com/simonw/datasette
Events: Introduced

4a0bd960e9763623dae6a13c8af3810c4ce9fb0a

Fixed

01e0558825b8f7ec17d3b691aa072daf122fcc74

Affected versions

1.*

1.0a0

1.0a1

1.0a2

1.0a3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-40570.json"