CVE-2023-40570

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Aug 25, 2023

Updated: Aug 31, 2023

CWE ID 213

Summary

CVE-2023-40570 is a vulnerability affecting Datasette versions 1.0 alpha to 1.0a3, where instances with authentication enabled using plugins like datasette-auth-passwords are vulnerable. The issue lies with the `/-/api` API explorer endpoint, which can disclose both database and table names to unauthenticated users. However, the vulnerability does not expose table contents. Datasette version 1.0a4 includes a patch that addresses this issue by denying access to the API explorer but maintaining functionality for read or write JSON APIs.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/sXgfid
https://www.cve.org/CVERecord?id=CVE-2023-40570
https://nvd.nist.gov/vuln/detail/CVE-2023-40570

Back to Vulnerability Database

CVE-2023-40570

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations