GMS-2020-9: datasette-graphql leaks details of the schema of private database files

November 24, 2020

Impact

When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents.

Patches

Patched

Workarounds

This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql plugin installed is available on the public internet. Uninstalling the datasette-graphql plugin or preventing public access to the instance can workaround this issue.

For more information

If you have any questions or comments about this advisory:

Open an issue in datasette-graphql
Contact @simonw by Twitter direct message

References

github.com/advisories/GHSA-74hv-qjjq-h7g5
github.com/simonw/datasette-graphql/security/advisories/GHSA-74hv-qjjq-h7g5
pypi.org/project/datasette-graphql/

Detect and mitigate GMS-2020-9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →