GHSA-74hv-qjjq-h7g5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-74hv-qjjq-h7g5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-74hv-qjjq-h7g5/GHSA-74hv-qjjq-h7g5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-74hv-qjjq-h7g5
- Published
- 2020-11-24T22:59:08Z
- Modified
- 2024-12-02T05:43:35.091839Z
- Summary
- datasette-graphql leaks details of the schema of private database files
- Details
-
Impact
When running against a Datasette instance with private databases,
datasette-graphqlwould expose the schema of those database tables - but not the table contents.Patches
Patched in version 1.2.
Workarounds
This issue is only present if a Datasette instance that includes private databases and has the
datasette-graphqlplugin installed is available on the public internet. Uninstalling thedatasette-graphqlplugin or preventing public access to the instance can workaround this issue.For more information
If you have any questions or comments about this advisory: * Open an issue in datasette-graphql * Contact @simonw by Twitter direct message
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-200" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2020-11-24T21:42:40Z" }- References
Affected packages
PyPI / datasette-graphql
Package
- Name
- datasette-graphql
- View open source insights on deps.dev
- Purl
- pkg:pypi/datasette-graphql