Homepage
About Snyk

Cleartext Storage of Sensitive Information Affecting dbt-core package, versions [1.7.0,1.7.3)

Severity

 Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-DBTCORE-6114733
  • published 11 Dec 2023
  • disclosed 8 Dec 2023
  • credit Jeremy Cohen
Report a new vulnerability Found a mistake?

Introduced: 8 Dec 2023

CVE NOT AVAILABLE CWE-315 Open this link in a new tab

How to fix?

Upgrade dbt-core to version 1.7.3 or higher.

Overview

dbt-core is a With dbt, data analysts and engineers can build analytics the way engineers build applications.

Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information when used to pull source code from a private repository using a Personal Access Token,thus writing a URL with the PAT in plaintext to the package-lock.yml file.

Workarounds

  1. Remove any git URLs with plaintext secrets from package-lock.yml file(s) on servers, workstations, or in source control.

  2. Rotate any tokens that have been written to version-controlled files.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
3.2 low
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None