GHSA-q6j3-c4wc-63vw

Source

https://github.com/advisories/GHSA-q6j3-c4wc-63vw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-q6j3-c4wc-63vw/GHSA-q6j3-c4wc-63vw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q6j3-c4wc-63vw

Published

2020-08-11T14:54:40Z

Modified

2024-12-02T05:44:09.099874Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

CSRF tokens leaked in URL by canned query form

Details

Impact

The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698).

This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to:

https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE

This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.

Patches

A fix for this issue has been released in Datasette 0.46.

Workarounds

You can fix this issue in a Datasette instance without upgrading by copying the 0.46 query.html template into a custom templates/ directory and running Datasette with the --template-dir=templates/ option.

References

Issue 918 discusses this in details: https://github.com/simonw/datasette/issues/918

For more information

Contact swillison at gmail with any questions.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-10T22:36:11Z"
}

References

Affected packages

PyPI / datasette

Package

Name: datasette; View open source insights on deps.dev
Purl: pkg:pypi/datasette

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.46

Affected versions

0.*

0.8

0.9

0.10

0.11

0.12

0.13

0.14

0.15

0.16

0.17

0.18

0.19

0.20

0.21

0.22

0.22.1

0.23

0.23.1

0.23.2

0.24

0.25

0.25.1

0.25.2

0.26

0.26.1

0.26.2

0.27

0.27.1

0.28

0.29

0.29.1

0.29.2

0.29.3

0.30

0.30.1

0.30.2

0.31

0.31.1

0.31.2

0.32

0.33

0.34

0.35

0.36

0.37

0.37.1

0.38

0.39

0.40

0.41

0.42

0.43

0.44

0.45a0

0.45a1

0.45a2

0.45a3

0.45a4

0.45a5

0.45