recce@1.49.0

Environment diff tool for dbt

  • latest version

    1.55.0

  • latest non vulnerable version

  • first published

    2 years ago

  • latest version published

    11 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the recce package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    External Control of File Name or Path

    recce is an Environment diff tool for dbt

    Affected versions of this package are vulnerable to External Control of File Name or Path via the query run API when configured with a DuckDB-backed project. An attacker can access or modify local files accessible to the server process, potentially leading to disclosure of sensitive files, tampering with artifacts, modification of static files resulting in stored XSS, or alteration of application files by sending crafted SQL queries that leverage DuckDB filesystem primitives. This is only exploitable if the server is exposed to an untrusted network without authentication.

    How to fix External Control of File Name or Path?

    Upgrade recce to version 1.50.0 or higher.

    [,1.50.0)