CVE-2024-40637

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-40637

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40637.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-40637

Aliases

Related

GHSA-p3f3-5ccg-83xq

Published

2024-07-16T23:15:24Z

Modified

2025-01-15T05:15:30.518585Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set flags.require_explicit_package_overrides_for_builtin_materializations: False in their configuration in dbt_project.yml.

References

Affected packages

Git / github.com/dbt-labs/dbt-core

Affected ranges

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3c82a0296d227cb1be295356df314c11716f4ff6

Fixed

3c82a0296d227cb1be295356df314c11716f4ff6

Fixed

87ac4deb00cc9fe334706e42a365903a1d581624

Fixed

87ac4deb00cc9fe334706e42a365903a1d581624

Affected versions

0.*

0.11.1

0.15.latest

0.3.0

0.4.1

0.5.2

v0.*

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.15.0

v0.15.2

v0.15.2a1

v0.16.0

v0.16.0b1

v0.16.0b3

v0.17.0

v0.17.1

v0.17.1rc1

v0.17.1rc2

v0.17.1rc3

v0.17.1rc4

v0.17.2

v0.17.2b1

v0.17.2rc1

v0.18.0

v0.18.0b2

v0.18.0rc1

v0.18.1b1

v0.18.1b2

v0.18.1b3

v0.18.1rc1

v0.19.0

v0.19.0b1

v0.19.0rc1

v0.19.0rc2

v0.19.1b2

v0.2.3.0

v0.20.0b1

v0.20.0rc1

v0.21.0b1

v0.4.0

v0.4.7

v0.5.0

v0.5.1

v0.5.3

v0.5.4

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.9.0

v0.9.0a1

v0.9.0a2

v0.9.1

v1.*

v1.0.0b1

v1.0.0b2

v1.0.0rc1

v1.0.0rc2

v1.0.0rc3

v1.1.0b1

v1.2.0b1

v1.3.0b1

v1.3.0b2

v1.4.0b1

v1.5.0b1

v1.5.0b2

v1.5.0b3

v1.5.0b4

v1.5.0b5

v1.6.0

v1.6.0b1

v1.6.0b2

v1.6.0b3

v1.6.0b4

v1.6.0b5

v1.6.0b6

v1.6.0b7

v1.6.0b8

v1.6.0rc1

v1.6.0rc2

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.13

v1.6.1rc1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.0b1

v1.7.0b2

v1.7.0rc1

v1.7.1

v1.7.10

v1.7.11

v1.7.12

v1.7.13

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9