CVE-2024-36105

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-36105

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36105.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-36105

Aliases

GHSA-pmrx-695r-4349

Published

2024-05-27T17:17:39.875Z

Modified

2026-03-13T14:52:35.612778Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

dbt allows Binding to an Unrestricted IP Address via socketsocket

Details

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to INADDR_ANY (0.0.0.0) or IN6ADDR_ANY (::) exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: '' represents INADDR_ANY, equivalent to "0.0.0.0". On systems with IPv6, '' represents IN6ADDR_ANY, which is equivalent to "::". A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in dbt docs serve.

Database specific

{
    "cwe_ids": [
        "CWE-1327"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36105.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/dbt-labs/dbt-core

Affected ranges

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

86f5cb1949769a64a841f1bdda8f963bf58d63c0

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

72b0f86fa6f6e635b80c146f9eadee2f1b3537dd

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

48a3a098ed120e2b921de7fa8e30452191a147e1

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

86f5cb1949769a64a841f1bdda8f963bf58d63c0

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

72b0f86fa6f6e635b80c146f9eadee2f1b3537dd

Type: GIT
Repo: https://github.com/dbt-labs/dbt-core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

48a3a098ed120e2b921de7fa8e30452191a147e1

Affected versions

0.*

0.11.1

0.15.latest

0.3.0

0.4.1

0.5.2

v0.*

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.15.0

v0.15.2

v0.15.2a1

v0.16.0

v0.16.0b1

v0.16.0b3

v0.17.0

v0.17.1

v0.17.1rc1

v0.17.1rc2

v0.17.1rc3

v0.17.1rc4

v0.17.2

v0.17.2b1

v0.17.2rc1

v0.18.0

v0.18.0b2

v0.18.0rc1

v0.18.1b1

v0.18.1b2

v0.18.1b3

v0.18.1rc1

v0.19.0

v0.19.0b1

v0.19.0rc1

v0.19.0rc2

v0.19.1b2

v0.2.3.0

v0.20.0b1

v0.20.0rc1

v0.21.0b1

v0.4.0

v0.4.7

v0.5.0

v0.5.1

v0.5.3

v0.5.4

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.9.0

v0.9.0a1

v0.9.0a2

v0.9.1

v1.*

v1.0.0b1

v1.0.0b2

v1.0.0rc1

v1.0.0rc2

v1.0.0rc3

v1.1.0b1

v1.2.0b1

v1.3.0b1

v1.3.0b2

v1.4.0b1

v1.5.0b1

v1.5.0b2

v1.5.0b3

v1.5.0b4

v1.5.0b5

v1.6.0

v1.6.0b1

v1.6.0b2

v1.6.0b3

v1.6.0b4

v1.6.0b5

v1.6.0b6

v1.6.0b7

v1.6.0b8

v1.6.0rc1

v1.6.0rc2

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.13

v1.6.14

v1.6.1rc1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.0b1

v1.7.0b2

v1.7.0rc1

v1.7.1

v1.7.10

v1.7.11

v1.7.12

v1.7.13

v1.7.14

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.8.0

v1.8.0b1

v1.8.0b2

v1.8.0b3

v1.8.0rc1

v1.8.0rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36105.json"