PYSEC-2024-66

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/dbt-core/PYSEC-2024-66.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2024-66
Aliases
Published
2024-07-16T23:15:00Z
Modified
2024-07-19T17:41:45.635162Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set flags.require_explicit_package_overrides_for_builtin_materializations: False in their configuration in dbt_project.yml.

References

Affected packages

PyPI / dbt-core

Package

Affected ranges

Type
GIT
Repo
https://github.com/dbt-labs/dbt-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Type
ECOSYSTEM
Events
Introduced
1.7.0
Fixed
1.7.14
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.14

Affected versions

0.*

0.13.0a1
0.13.0a2
0.13.0rc1
0.13.0
0.13.1a1
0.13.1a2
0.13.1
0.14.0a1
0.14.0a2
0.14.0rc1
0.14.0
0.14.1a1
0.14.1rc1
0.14.1rc2
0.14.1
0.14.2
0.14.3rc1
0.14.3
0.14.4
0.15.0b1
0.15.0b2
0.15.0b3
0.15.0rc1
0.15.0rc2
0.15.0
0.15.1rc1
0.15.1rc2
0.15.1
0.15.2
0.15.3rc1
0.15.3
0.16.0b1
0.16.0b2
0.16.0b3
0.16.0rc1
0.16.0rc2
0.16.0rc3
0.16.0rc4
0.16.0
0.16.1rc1
0.16.1
0.17.0b1
0.17.0b2
0.17.0rc1
0.17.0rc2
0.17.0rc3
0.17.0rc4
0.17.0
0.17.1rc1
0.17.1rc2
0.17.1rc3
0.17.1rc4
0.17.1
0.17.2b1
0.17.2rc1
0.17.2
0.18.0b1
0.18.0b2
0.18.0rc1
0.18.0rc2
0.18.0
0.18.1b1
0.18.1b2
0.18.1b3
0.18.1rc1
0.18.1
0.18.2rc1
0.18.2
0.19.0b1
0.19.0rc1
0.19.0rc2
0.19.0rc3
0.19.0
0.19.1b2
0.19.1rc1
0.19.1rc2
0.19.1
0.19.2rc1
0.19.2rc2
0.19.2
0.20.0b1
0.20.0rc1
0.20.0rc2
0.20.0
0.20.1rc1
0.20.1
0.20.2rc1
0.20.2rc2
0.20.2
0.21.0b1
0.21.0b2
0.21.0rc1
0.21.0rc2
0.21.0
0.21.1rc1
0.21.1rc2
0.21.1

1.*

1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.0.1rc1
1.0.1
1.0.2rc1
1.0.2
1.0.3
1.0.4
1.0.5rc1
1.0.5rc2
1.0.5rc3
1.0.5
1.0.6rc1
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0b1
1.1.0rc1
1.1.0rc2
1.1.0rc3
1.1.0
1.1.1rc1
1.1.1rc2
1.1.1
1.1.2rc1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0b1
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1rc1
1.2.1rc2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.3.0b1
1.3.0b2
1.3.0rc1
1.3.0rc2
1.3.0
1.3.1
1.3.2rc1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0b1
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1
1.4.2rc1
1.4.2rc2
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.5.0b1
1.5.0b2
1.5.0b3
1.5.0b4
1.5.0b5
1.5.0rc1
1.5.0rc2
1.5.0
1.5.1rc1
1.5.1rc2
1.5.1
1.5.2rc1
1.5.2rc2
1.5.2
1.5.3
1.5.4rc1
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.6.0b1
1.6.0b2
1.6.0b3
1.6.0b4
1.6.0b5
1.6.0b6
1.6.0b7
1.6.0b8
1.6.0rc1
1.6.0rc2
1.6.0
1.6.1rc1
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12
1.6.13
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13