CVE-2023-40570: Critical Security Vulnerability in Datasette 1. Alpha Versions Affecting Authentication and API Explorer Endpoint

Datasette is an open-source multi-tool that aims to simplify the process of exploring, analyzing, and publishing data. It has been widely used by developers and researchers across various industries to facilitate data management and sharing. However, a recently discovered security vulnerability (identified as CVE-2023-40570) threatens the privacy and security of the data stored in the Datasette instances.

The bug affects Datasette instances running the following 1. alpha versions

- 1.a

Context

This security vulnerability specifically affects Datasette instances that are accessible online but have been protected using authentication plugins such as datasette-auth-passwords. In these instances, the security flaw lies in the /-/api API explorer endpoint.

Exploit Details

Due to this vulnerability, an attacker (unauthenticated user) is able to reveal the names of databases and tables (not their contents) in an affected Datasette instance without being logged in. This information, while may not reveal specific data, can still provide valuable insights for a malicious user.

A sample code snippet that might exploit this vulnerability

import requests

url = "http://<datasette_instance_url>/-/api";
response = requests.get(url)
print(response.json())

Original References

- Datasette Repository: https://github.com/simonw/datasette
- Datasette CVE-2023-40570 Issue: https://github.com/simonw/datasette/security/advisories/GHSA-4ppw-rf2q-mfq5
- Datasette 1.a4 Release Notes: https://github.com/simonw/datasette/releases/tag/1.a4

Security Fix

The Datasette development team has provided a fix for this issue in version 1.a4. Upgrading to this version will block access to the compromised API explorer endpoint. However, this update will not affect Datasette's read or write JSON APIs, as they use different URL patterns within the /database hierarchy.

Recommendations

- Immediately upgrade your Datasette instance to version 1.a4, which includes the fix for CVE-2023-40570.
- Ensure that your Datasette instance is running only the latest versions of all plugins and dependencies.
- Review your Datasette instance's access logs for any suspicious activity and undertake any necessary remedial actions.

Closing Notes

The discovery of security vulnerabilities like CVE-2023-40570 highlights the importance of continually evaluating and maintaining the security of your software and systems. By staying vigilant and keeping up with the latest security updates, you can keep your data safe from malicious actors.

Timeline

Published on: 08/25/2023 01:15:00 UTC
Last modified on: 08/31/2023 13:50:00 UTC