Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Datasette 1.0 alpha series leaks names of databases and tables to unauthenticated users
Vulnerability Description
Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
故意性的信息暴露
Vulnerability Title
Datasette 安全漏洞
Vulnerability Description
Datasette是应用软件用于探索和发布数据的开源多功能工具 Datasette存在安全漏洞,该漏洞源于/-/api资源管理器端点向未经身份验证的攻击者泄露了数据库和表的名称。受影响的产品和版本:Datasette 1.0a0版本、1.0a1版本、1.0a2版本、1.0a3版本。
CVSS Information
N/A
Vulnerability Type
N/A