Homepage
About Snyk

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting dbt-core package, versions [0,1.6.14) [1.7.0,1.7.14)

Severity

 Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-DBTCORE-7430282
  • published 17 Jul 2024
  • disclosed 3 Jul 2024
  • credit Paul Brabban
Report a new vulnerability Found a mistake?

Introduced: 3 Jul 2024

CVE-2024-40637 Open this link in a new tab
CWE-74 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade dbt-core to version 1.6.14, 1.7.14 or higher.

Overview

dbt-core is a With dbt, data analysts and engineers can build analytics the way engineers build applications.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') allowing an attacker to install a malicious package, gaining the ability to override macros, materializations, and other core components of dbt.

Workaround

Users unable to upgrade to the fixed version can set the flags.require_explicit_package_overrides_for_builtin_materializations to False configuration in dbt_project.yml.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
1 low
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    Present
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    Passive
  • Confidentiality (VC)
    Low
  • Integrity (VI)
    Low
  • Availability (VA)
    Low
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None