GHSA-p72q-h37j-3hq7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p72q-h37j-3hq7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-p72q-h37j-3hq7/GHSA-p72q-h37j-3hq7.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-p72q-h37j-3hq7
- Published
- 2024-04-22T22:17:59Z
- Modified
- 2024-12-05T05:39:08.399422Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- dbt uses a SQLparse version with a high vulnerability
- Details
-
Summary
Using a version of
sqlparsethat has a security vulnerability and no way to update in current version of dbt core. Snyk recommends usingsqlparse==0.5but this causes a conflict with dbt. Snyk states the issues is a recursion error:SNYK-PYTHON-SQLPARSE-6615674.Details
Dependency conflict error message:
The conflict is caused by: The user requested sqlparse==0.5 dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3Resolution was to pin
sqlparse >=0.5.0, <0.6.0indbt-core, patched in 1.6.13 and 1.7.13.PoC
From Snyk:
import sqlparse sqlparse.parse('[' * 10000 + ']' * 10000)Impact
Snyk classifies it as high 7.5/10.
Patches
The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.
Mitigations
Bump
dbt-core1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-673" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-22T22:17:59Z" }- References
Affected packages
PyPI / dbt-core
Package
- Name
- dbt-core
- View open source insights on deps.dev
- Purl
- pkg:pypi/dbt-core
PyPI / dbt-core
Package
- Name
- dbt-core
- View open source insights on deps.dev
- Purl
- pkg:pypi/dbt-core