Homepage
About Snyk

Binding to an Unrestricted IP Address Affecting dbt-core package, versions [1.5.0b1,1.6.15) [1.7.0,1.7.15) [1.8.0,1.8.1)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-DBTCORE-7148534
  • published 28 May 2024
  • disclosed 27 May 2024
  • credit ricwb
Report a new vulnerability Found a mistake?

Introduced: 27 May 2024

CVE-2024-36105 Open this link in a new tab
CWE-1327 Open this link in a new tab

How to fix?

Upgrade dbt-core to version 1.6.15, 1.7.15, 1.8.1 or higher.

Overview

dbt-core is a With dbt, data analysts and engineers can build analytics the way engineers build applications.

Affected versions of this package are vulnerable to Binding to an Unrestricted IP Address due to the binding to INADDR_ANY or IN6ADDR_ANY to any network interface on the local system, which exposes the application on all network interfaces. An attacker can gain unauthorized access by connecting to the application from any network interface.

PoC

To recreate, run the docs ServeTask.run() to stand up the HTTP server. Then run netstat to see what addresses this process is bound.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None