Описание
datasette-graphql leaks details of the schema of private database files
Impact
When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents.
Patches
Patched in version 1.2.
Workarounds
This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql plugin installed is available on the public internet. Uninstalling the datasette-graphql plugin or preventing public access to the instance can workaround this issue.
For more information
If you have any questions or comments about this advisory:
- Open an issue in datasette-graphql
- Contact @simonw by Twitter direct message
Пакеты
Наименование
datasette-graphql
pip
Затронутые версииВерсия исправления
< 1.2
1.2
Дефекты
CWE-200
Дефекты
CWE-200