CVE-2023-40570

Name of the Vulnerable Software and Affected Versions Datasette versions 1.0a0 through 1.0a3

Description The issue affects Datasette instances running in an online accessible location with authentication enabled using a plugin such as datasette-auth-passwords. The /-/api API endpoint could reveal the names of both databases and tables, but not their contents, to an unauthenticated user. Datasette 1.0a4 has a fix for this issue, which blocks access to the API explorer but still allows access to the Datasette read or write JSON APIs.

Recommendations For versions 1.0a0 through 1.0a3, update to version 1.0a4 to resolve the issue. As a temporary workaround for versions 1.0a0 through 1.0a3, block all traffic to the /-/api endpoint, which can be done with a proxy such as Apache or NGINX, or by installing the datasette-block plugin and adding the necessary configuration to your metadata.json or metadata.yml file.