GHSA-74hv-qjjq-h7g5

Suggest an improvement
Source
https://github.com/advisories/GHSA-74hv-qjjq-h7g5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-74hv-qjjq-h7g5/GHSA-74hv-qjjq-h7g5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-74hv-qjjq-h7g5
Published
2020-11-24T22:59:08Z
Modified
2024-12-02T05:43:35.091839Z
Summary
datasette-graphql leaks details of the schema of private database files
Details

Impact

When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents.

Patches

Patched in version 1.2.

Workarounds

This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql plugin installed is available on the public internet. Uninstalling the datasette-graphql plugin or preventing public access to the instance can workaround this issue.

For more information

If you have any questions or comments about this advisory: * Open an issue in datasette-graphql * Contact @simonw by Twitter direct message

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-24T21:42:40Z"
}
References

Affected packages

PyPI / datasette-graphql

Package

Name
datasette-graphql
View open source insights on deps.dev
Purl
pkg:pypi/datasette-graphql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2

Affected versions

0.*

0.1a0
0.1a1
0.1a2
0.1a3
0.1a4
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
0.10
0.11
0.12
0.12.1
0.12.2
0.12.3
0.13
0.14
0.15

1.*

1.0
1.0.1
1.1