dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set `flags.require_explicit_package_overrides_for_builtin_materializations: False` in their configuration in `dbt_project.yml`.
References
Configurations
Configuration 1 (hide)
|
History
19 Jul 2024, 14:37
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-89 | |
CPE | cpe:2.3:a:getdbt:dbt_core:*:*:*:*:*:*:*:* | |
References | () https://docs.getdbt.com/docs/build/packages - Product | |
References | () https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flags - Vendor Advisory | |
References | () https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6 - Patch | |
References | () https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624 - Patch | |
References | () https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq - Vendor Advisory | |
References | () https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls - Exploit, Third Party Advisory | |
References | () https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies - Exploit, Third Party Advisory | |
References | () https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability - Exploit, Third Party Advisory | |
First Time |
Getdbt dbt Core
Getdbt |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
17 Jul 2024, 13:34
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
16 Jul 2024, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-16 23:15
Updated : 2024-07-19 14:37
NVD link : CVE-2024-40637
Mitre link : CVE-2024-40637
CVE.ORG link : CVE-2024-40637
JSON object : View
Products Affected
getdbt
- dbt_core