CVE-2023-40570: 
Python vulnerability analysis and mitigation

CVE-2023-40570 affects Datasette, an open source multi-tool for exploring and publishing data. The vulnerability was discovered in Datasette 1.0 alpha versions (1.0a0, 1.0a1, 1.0a2, and 1.0a3) and was patched in version 1.0a4. The issue affects instances running with authentication enabled using plugins such as datasette-auth-passwords (GitHub Advisory).

The vulnerability exists in the /-/api API explorer endpoint, which could expose the names of both databases and tables to unauthenticated users, although the actual contents of these databases and tables remained protected. The issue has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows unauthenticated users to discover the names of databases and tables in Datasette instances that should be protected by authentication. While the actual data within these databases remains secure, the exposure of database and table names could provide attackers with information about the system's structure (GitHub Advisory).

The issue has been patched in Datasette version 1.0a4. For users unable to upgrade immediately, a workaround is available by blocking all traffic to the /-/api endpoint. This can be implemented using a proxy like Apache or NGINX, or by installing the datasette-block plugin with specific configuration in metadata.json or metadata.yml. The workaround will block access to the API explorer while maintaining access to Datasette's read or write JSON APIs (GitHub Advisory).