CVE-2021-32670
Description
Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | datasette | <0.56.1 | 0.56.1 |
References
- https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
- https://nvd.nist.gov/vuln/detail/CVE-2021-32670
- https://github.com/simonw/datasette/issues/1360
- https://datasette.io/plugins/datasette-auth-passwords
- https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks
- https://pypi.org/project/datasette
- https://github.com/advisories/GHSA-gff3-739c-gxfq
- https://github.com/pypa/advisory-database/tree/main/vulns/datasette/PYSEC-2021-89.yaml
- https://github.com/simonw/datasette
- https://pypi.org/project/datasette/
Verify integrity in audit chain (admin only). AS-IS.