When running against a Datasette instance with private databases, datasette-graphql
would expose the schema of those database tables - but not the table contents.
Patched in version 1.2.
This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql
plugin installed is available on the public internet. Uninstalling the datasette-graphql
plugin or preventing public access to the instance can workaround this issue.
If you have any questions or comments about this advisory: * Open an issue in datasette-graphql * Contact @simonw by Twitter direct message
{ "nvd_published_at": null, "cwe_ids": [ "CWE-200" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2020-11-24T21:42:40Z" }