GHSA-74hv-qjjq-h7g5

Source

https://github.com/advisories/GHSA-74hv-qjjq-h7g5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-74hv-qjjq-h7g5/GHSA-74hv-qjjq-h7g5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-74hv-qjjq-h7g5

Published

2020-11-24T22:59:08Z

Modified

2024-12-02T05:43:35.091839Z

Summary

datasette-graphql leaks details of the schema of private database files

Details

Impact

When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents.

Patches

Patched in version 1.2.

Workarounds

This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql plugin installed is available on the public internet. Uninstalling the datasette-graphql plugin or preventing public access to the instance can workaround this issue.

For more information

If you have any questions or comments about this advisory: * Open an issue in datasette-graphql * Contact @simonw by Twitter direct message

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "github_reviewed_at": "2020-11-24T21:42:40Z",
    "severity": "LOW"
}

References

Affected packages

PyPI / datasette-graphql

Package

Name: datasette-graphql; View open source insights on deps.dev
Purl: pkg:pypi/datasette-graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2

Affected versions

0.*

0.1a0

0.1a1

0.1a2

0.1a3

0.1a4

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

0.10

0.11

0.12

0.12.1

0.12.2

0.12.3

0.13

0.14

0.15

1.*

1.0

1.0.1

1.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-74hv-qjjq-h7g5/GHSA-74hv-qjjq-h7g5.json"