CVE-2023-40570

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Aug 25, 2023
Updated: Aug 31, 2023
CWE ID 213

Summary

CVE-2023-40570 is a vulnerability affecting Datasette versions 1.0 alpha to 1.0a3, where instances with authentication enabled using plugins like datasette-auth-passwords are vulnerable. The issue lies with the `/-/api` API explorer endpoint, which can disclose both database and table names to unauthenticated users. However, the vulnerability does not expose table contents. Datasette version 1.0a4 includes a patch that addresses this issue by denying access to the API explorer but maintaining functionality for read or write JSON APIs.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share