Sethmlarson

**Name of the Vulnerable Software and Affected Versions** dbt-common versions prior to 1.34.2 dbt-common versions prior to 1.37.3 **Description** A path traversal issue exists in the `safe extract()` function of dbt-common when extracting tarball archives. The function uses `os.path.commonprefix()` to validate file paths, but this function compares paths character-by-character instead of by path components. This allows a malicious tarball to write files to sibling directories with matching name prefixes. For example, when extracting to `/tmp/packages`, a crafted tarball could write files to `/tmp/packagesevil/`. The vulnerability affects users who install dbt packages from untrusted sources or process tarball archives through dbt-common's extraction utilities. The fix replaces `os.path.commonprefix()` with `os.path.commonpath()`, which correctly compares paths by their components. **Recommendations** Upgrade to dbt-common version 1.34.2 or later. Upgrade to dbt-common version 1.37.3 or later. Only install dbt packages from trusted sources. Avoid installing packages from untrusted URLs or unverified third parties. Review package contents before installation when sourcing from external locations.

Name of the Vulnerable Software and Affected Versions: check-jsonschema versions prior to 0.30.0 Description: The default cache strategy in check-jsonschema uses the basename of a remote schema as the name of the file in the cache. This naming allows for conflicts, enabling an attacker to insert their own schema into the cache if a user runs check-jsonschema against a malicious schema URL. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. Recommendations: For versions prior to 0.30.0, users can use the `--no-cache` flag to disable caching. For versions prior to 0.30.0, users can use the `--cache-filename` flag to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. For versions prior to 0.30.0, users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json` Upgrade to version 0.30.0 to patch the issue.

**Name of the Vulnerable Software and Affected Versions** aiohttp versions 3.8.4 and earlier **Description** The issue is related to the handling of HTTP requests in aiohttp, which can lead to HTTP request smuggling when a crafted HTTP request is sent. This affects users of aiohttp as an HTTP server, but not those using it as an HTTP client library. The vulnerability is addressed in version 3.8.5. **Recommendations** For aiohttp versions 3.8.4 and earlier, upgrade to version 3.8.5 to resolve the issue. As a temporary workaround for users unable to upgrade, reinstall aiohttp using `AIOHTTP NO EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation.