Vulnerability Details CVE-2021-32670
Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.3%
CVSS Severity
CVSS v3 Score 7.2
CVSS v2 Score 4.3
References
- https://datasette.io/plugins/datasette-auth-passwords
- https://github.com/simonw/datasette/issues/1360
- https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
- https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks
- https://pypi.org/project/datasette/
- https://datasette.io/plugins/datasette-auth-passwords
- https://github.com/simonw/datasette/issues/1360
- https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
- https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks
- https://pypi.org/project/datasette/
Products affected by CVE-2021-32670
-
cpe:2.3:a:datasette:datasette:0.10
-
cpe:2.3:a:datasette:datasette:0.11
-
cpe:2.3:a:datasette:datasette:0.12
-
cpe:2.3:a:datasette:datasette:0.13
-
cpe:2.3:a:datasette:datasette:0.14
-
cpe:2.3:a:datasette:datasette:0.15
-
cpe:2.3:a:datasette:datasette:0.16
-
cpe:2.3:a:datasette:datasette:0.17
-
cpe:2.3:a:datasette:datasette:0.18
-
cpe:2.3:a:datasette:datasette:0.19
-
cpe:2.3:a:datasette:datasette:0.20
-
cpe:2.3:a:datasette:datasette:0.21
-
cpe:2.3:a:datasette:datasette:0.22
-
cpe:2.3:a:datasette:datasette:0.22.1
-
cpe:2.3:a:datasette:datasette:0.23
-
cpe:2.3:a:datasette:datasette:0.23.1
-
cpe:2.3:a:datasette:datasette:0.23.2
-
cpe:2.3:a:datasette:datasette:0.24
-
cpe:2.3:a:datasette:datasette:0.25
-
cpe:2.3:a:datasette:datasette:0.25.1
-
cpe:2.3:a:datasette:datasette:0.25.2
-
cpe:2.3:a:datasette:datasette:0.26
-
cpe:2.3:a:datasette:datasette:0.26.1
-
cpe:2.3:a:datasette:datasette:0.26.2
-
cpe:2.3:a:datasette:datasette:0.27
-
cpe:2.3:a:datasette:datasette:0.27.1
-
cpe:2.3:a:datasette:datasette:0.28
-
cpe:2.3:a:datasette:datasette:0.29
-
cpe:2.3:a:datasette:datasette:0.29.1
-
cpe:2.3:a:datasette:datasette:0.29.2
-
cpe:2.3:a:datasette:datasette:0.29.3
-
cpe:2.3:a:datasette:datasette:0.30
-
cpe:2.3:a:datasette:datasette:0.30.1
-
cpe:2.3:a:datasette:datasette:0.30.2
-
cpe:2.3:a:datasette:datasette:0.31
-
cpe:2.3:a:datasette:datasette:0.31.1
-
cpe:2.3:a:datasette:datasette:0.31.2
-
cpe:2.3:a:datasette:datasette:0.32
-
cpe:2.3:a:datasette:datasette:0.33
-
cpe:2.3:a:datasette:datasette:0.34
-
cpe:2.3:a:datasette:datasette:0.35
-
cpe:2.3:a:datasette:datasette:0.36
-
cpe:2.3:a:datasette:datasette:0.37
-
cpe:2.3:a:datasette:datasette:0.37.1
-
cpe:2.3:a:datasette:datasette:0.38
-
cpe:2.3:a:datasette:datasette:0.39
-
cpe:2.3:a:datasette:datasette:0.40
-
cpe:2.3:a:datasette:datasette:0.41
-
cpe:2.3:a:datasette:datasette:0.42
-
cpe:2.3:a:datasette:datasette:0.43
-
cpe:2.3:a:datasette:datasette:0.44
-
cpe:2.3:a:datasette:datasette:0.45
-
cpe:2.3:a:datasette:datasette:0.46
-
cpe:2.3:a:datasette:datasette:0.47
-
cpe:2.3:a:datasette:datasette:0.47.1
-
cpe:2.3:a:datasette:datasette:0.47.2
-
cpe:2.3:a:datasette:datasette:0.47.3
-
cpe:2.3:a:datasette:datasette:0.48
-
cpe:2.3:a:datasette:datasette:0.49
-
cpe:2.3:a:datasette:datasette:0.49.1
-
cpe:2.3:a:datasette:datasette:0.50
-
cpe:2.3:a:datasette:datasette:0.50.1
-
cpe:2.3:a:datasette:datasette:0.50.2
-
cpe:2.3:a:datasette:datasette:0.51
-
cpe:2.3:a:datasette:datasette:0.51.1
-
cpe:2.3:a:datasette:datasette:0.52
-
cpe:2.3:a:datasette:datasette:0.52.1
-
cpe:2.3:a:datasette:datasette:0.52.2
-
cpe:2.3:a:datasette:datasette:0.52.3
-
cpe:2.3:a:datasette:datasette:0.52.4
-
cpe:2.3:a:datasette:datasette:0.52.5
-
cpe:2.3:a:datasette:datasette:0.53
-
cpe:2.3:a:datasette:datasette:0.54
-
cpe:2.3:a:datasette:datasette:0.54.1
-
cpe:2.3:a:datasette:datasette:0.55
-
cpe:2.3:a:datasette:datasette:0.56
-
cpe:2.3:a:datasette:datasette:0.7
-
cpe:2.3:a:datasette:datasette:0.8
-
cpe:2.3:a:datasette:datasette:0.9