Vulnerability in Dbt-labs Dbt-core
CVE-2024-40637
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and…
EPSS: 0.001 (31.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.2 (Medium). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L.
Affected products
- Dbt-labs Dbt-core — versions < 1.6.14, >= 1.7.0, < 1.7.14
Weakness classification (CWE)
References
- https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq (x_refsource_CONFIRM)
- https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6 (x_refsource_MISC)
- https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624 (x_refsource_MISC)
- https://docs.getdbt.com/docs/build/packages (x_refsource_MISC)
- https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flags (x_refsource_MISC)
- https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls (x_refsource_MISC)
- https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies (x_refsource_MISC)
- https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-40637?
- CVE-2024-40637 is a medium-severity vulnerability in Dbt-labs Dbt-core, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 4.2/10. Published 2024-07-16.
- How severe is CVE-2024-40637?
- Medium severity. CVSS v3 base score is 4.2 out of 10.