GMS-2020-9: datasette-graphql leaks details of the schema of private database files
Impact
When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents.
Patches
Patched
Workarounds
This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql plugin installed is available on the public internet. Uninstalling the datasette-graphql plugin or preventing public access to the instance can workaround this issue.
For more information
If you have any questions or comments about this advisory:
- Open an issue in datasette-graphql
- Contact @simonw by Twitter direct message
References
Code Behaviors & Features
Detect and mitigate GMS-2020-9 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →