logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-36105 dbt-core

Package

Manager: pip
Name: dbt-core
Vulnerable Version: >=0 <1.6.15 || >=1.7.0 <1.7.15 || =1.8.0 || >=1.8.0 <1.8.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00195 pctl0.41587

Details

dbt allows Binding to an Unrestricted IP Address via socketsocket ### Summary Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. While doing some static analysis and code inspection, I found the following code binding a socket to `INADDR_ANY` by passing `""` as the address. This effectively binds to any network interface on the local system, not just localhost (127.0.0.1). ### Details As stated in the Python docs, a special form for address is accepted instead of a host address: `''` represents `INADDR_ANY`, equivalent to `"0.0.0.0"`. On systems with IPv6, '' represents `IN6ADDR_ANY`, which is equivalent to `"::"`. https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39 The text around this code also imply the intention is to host docs only on localhost. ### PoC To recreate, run the docs ServeTask.run() to stand up the HTTP server. Then run `netstat` to see what addresses this process is bound. ### Impact A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. Further references: https://docs.python.org/3/library/socket.html#socket-families https://docs.securesauce.dev/rules/PY030 https://cwe.mitre.org/data/definitions/1327.html ### Patches The issue has has been mitigated in [dbt-core v1.6.15](https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15), [dbt-core v1.7.15](https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15), and [dbt-core v1.8.1](https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1) by binding to localhost explicitly by default in `dbt docs serve` (https://github.com/dbt-labs/dbt-core/issues/10209).

Metadata

Created: 2024-05-28T21:19:14Z
Modified: 2024-05-28T21:19:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-pmrx-695r-4349/GHSA-pmrx-695r-4349.json
CWE IDs: ["CWE-1327"]
Alternative ID: GHSA-pmrx-695r-4349
Finding: F332
Auto approve: 1