FKIE_CVE-2024-40637

Vulnerability from fkie_nvd - Published: 2024-07-16 23:15 - Updated: 2024-11-21 09:31
Severity ?
4.2 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set `flags.require_explicit_package_overrides_for_builtin_materializations: False` in their configuration in `dbt_project.yml`.
References
security-advisories@github.comhttps://docs.getdbt.com/docs/build/packagesProduct
security-advisories@github.comhttps://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flagsVendor Advisory
security-advisories@github.comhttps://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6Patch
security-advisories@github.comhttps://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624Patch
security-advisories@github.comhttps://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xqVendor Advisory
security-advisories@github.comhttps://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controlsExploit, Third Party Advisory
security-advisories@github.comhttps://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policiesExploit, Third Party Advisory
security-advisories@github.comhttps://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerabilityExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://docs.getdbt.com/docs/build/packagesProduct
af854a3a-2127-422b-91ae-364da2661108https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flagsVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xqVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controlsExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policiesExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerabilityExploit, Third Party Advisory
Impacted products
Vendor Product Version
getdbt dbt_core *
getdbt dbt_core *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getdbt:dbt_core:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "914D843B-54DC-45D0-ACC5-CA2EE99FE727",
              "versionEndExcluding": "1.6.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getdbt:dbt_core:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9452C38F-FDF5-4F99-87A9-3C6DBBA031F2",
              "versionEndExcluding": "1.7.14",
              "versionStartIncluding": "1.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt\u0027s functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set `flags.require_explicit_package_overrides_for_builtin_materializations: False` in their configuration in `dbt_project.yml`."
    },
    {
      "lang": "es",
      "value": "dbt permite a los ingenieros y analistas de datos transformar sus datos utilizando las mismas pr\u00e1cticas que utilizan los ingenieros de software para crear aplicaciones. Cuando un usuario instala un paquete en dbt, tiene la capacidad de anular macros, materializaciones y otros componentes principales de dbt. Esto es por dise\u00f1o, ya que permite que los paquetes extiendan y personalicen la funcionalidad de dbt. Sin embargo, esto tambi\u00e9n significa que un paquete malicioso podr\u00eda anular estos componentes con c\u00f3digo da\u00f1ino. Este problema se solucion\u00f3 en las versiones 1.8.0, 1.6.14 y 1.7.14. Se recomienda a los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad. Los usuarios que actualicen a 1.6.14 o 1.7.14 deber\u00e1n configurar `flags.require_explicit_package_overrides_for_builtin_materializations: False` en su configuraci\u00f3n en `dbt_project.yml`."
    }
  ],
  "id": "CVE-2024-40637",
  "lastModified": "2024-11-21T09:31:24.457",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 4.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-16T23:15:24.260",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://docs.getdbt.com/docs/build/packages"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flags"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://docs.getdbt.com/docs/build/packages"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flags"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.