CVE-2024-36105

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-36105
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36105.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-36105
Aliases
Published
2024-05-27T17:17:39.875Z
Modified
2025-11-27T19:35:41.181452Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
dbt allows Binding to an Unrestricted IP Address via socketsocket
Details

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to INADDR_ANY (0.0.0.0) or IN6ADDR_ANY (::) exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: '' represents INADDR_ANY, equivalent to "0.0.0.0". On systems with IPv6, '' represents IN6ADDR_ANY, which is equivalent to "::". A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in dbt docs serve.

Database specific 
{
    "cwe_ids": [
        "CWE-1327"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/ee626f5d79d5817bb21d6f048dc0da4c4e383443/cves/2024/36xxx/CVE-2024-36105.json"
}
References

Affected packages

Git / github.com/dbt-labs/dbt-core

Affected ranges

Type
GIT
Repo
https://github.com/dbt-labs/dbt-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
86f5cb1949769a64a841f1bdda8f963bf58d63c0
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.6.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/dbt-labs/dbt-core
Events
Introduced
2401600e57048dd56818f7293abed96ffd510ac9
Fixed
72b0f86fa6f6e635b80c146f9eadee2f1b3537dd
Database specific 
{
    "versions": [
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.7.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/dbt-labs/dbt-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
aaa22f3002ae3b43860b7fc2d731edb6aacb3d78
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 1.8.0"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36105.json"