Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2024-40637
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-16 Jul, 2024 | 23:15
Updated At-19 Jul, 2024 | 14:37

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set `flags.require_explicit_package_overrides_for_builtin_materializations: False` in their configuration in `dbt_project.yml`.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.14.2MEDIUM
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 4.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
CPE Matches
getdbt
getdbt
>>dbt_core>>Versions before 1.6.14(exclusive)
cpe:2.3:a:getdbt:dbt_core:*:*:*:*:*:*:*:*
getdbt
getdbt
>>dbt_core>>Versions from 1.7.0(inclusive) to 1.7.14(exclusive)
cpe:2.3:a:getdbt:dbt_core:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarynvd@nist.gov
CWE-74Secondarysecurity-advisories@github.com
CWE ID: CWE-89
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-74
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://docs.getdbt.com/docs/build/packagessecurity-advisories@github.com
Product
https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flagssecurity-advisories@github.com
Vendor Advisory
https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6security-advisories@github.com
Patch
https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624security-advisories@github.com
Patch
https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xqsecurity-advisories@github.com
Vendor Advisory
https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controlssecurity-advisories@github.com
Exploit
Third Party Advisory
https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policiessecurity-advisories@github.com
Exploit
Third Party Advisory
https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerabilitysecurity-advisories@github.com
Exploit
Third Party Advisory
Hyperlink: https://docs.getdbt.com/docs/build/packages
Source: security-advisories@github.com
Resource:
Product
Hyperlink: https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flags
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls
Source: security-advisories@github.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies
Source: security-advisories@github.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability
Source: security-advisories@github.com
Resource:
Exploit
Third Party Advisory
Change History
0Changes found
Details not found