SCA: security update for datasette (GHSA-7ch3-7pp7-7cpq)

medium Tenable Self-Hosted Container Security Plugin ID 411995

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette
instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location
but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer
endpoint could reveal the names of both databases and tables - but not their contents - to an
unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer
but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns
within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4. (CVE-2023-40570)

See Also

https://github.com/advisories/GHSA-7ch3-7pp7-7cpq

Plugin Details

Severity: Medium

ID: 411995

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-40570

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/22/2023

Vulnerability Publication Date: 8/22/2023

Reference Information

CVE: CVE-2023-40570