Executive Summary

Informations
Name CVE-2023-40570 First vendor Publication 2023-08-25
Vendor Cve Last vendor Modification 2023-08-31

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Overall CVSS Score 5.3
Base Score 5.3 Environmental Score 5.3
impact SubScore 1.4 Temporal Score 5.3
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact Low
Integrity Impact None Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40570

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 4

Sources (Detail)

Source Url
MISC https://github.com/simonw/datasette/commit/01e0558825b8f7ec17d3b691aa072daf12...
https://github.com/simonw/datasette/security/advisories/GHSA-7ch3-7pp7-7cpq

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2023-08-31 17:27:24
  • Multiple Updates
2023-08-25 09:27:20
  • First insertion