CVE-2024-40637

HIGH EPSS 29.1%
Published Jul 16, 20241y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Jul 16, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set `flags.require_explicit_package_overrides_for_builtin_materializations: False` in their configuration in `dbt_project.yml`.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
29.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-74
CWE-89 SQL Injection Injection

Affected Products 2

VendorProductVersionRange
getdbtdbt_core* <1.6.14
getdbtdbt_core*≥1.7.0  –  <1.7.14

References 8

  • docs.getdbt.com https://docs.getdbt.com/docs/build/packages
    Product
  • docs.getdbt.com https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flags
    Vendor Advisory
  • github.com https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6
    Patch
  • github.com https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624
    Patch
  • github.com https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq
    Vendor Advisory
  • tempered.works https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls
    ExploitThird Party Advisory
  • elementary-data.com https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies
    ExploitThird Party Advisory
  • equalexperts.com https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6
    Patch
  • github.com https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624
    Patch