Malicious Package Could Potentially Override Core Components of dbt
CVE-2024-40637

7.8HIGH

Key Information:

Vendor

Dbt-labs

Status
Dbt-core
Vendor
CVE Published:
16 July 2024

What is CVE-2024-40637?

A vulnerability exists in dbt, a popular data transformation tool by dbt Labs, that allows users to install packages that can override critical core components such as macros and materializations. While this feature is designed to enhance dbt's extensibility and customization, it also opens the door for potential exploitation through the installation of harmful packages. Users are strongly advised to upgrade to the fixed versions (1.8.0, 1.6.14, and 1.7.14) without delay, as there are no known workarounds. Furthermore, those upgrading to versions 1.6.14 or 1.7.14 must adjust their configuration by setting 'flags.require_explicit_package_overrides_for_builtin_materializations: False' in their dbt_project.yml file to ensure secure operation.

Affected Version(s)

dbt-core < 1.6.14 < 1.6.14

dbt-core >= 1.7.0, < 1.7.14 < 1.7.0, 1.7.14

References

https://github.com/dbt-labs/dbt-core/security/advisories/...
x_refsource_CONFIRM
https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227...
x_refsource_MISC
https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.