CVE-2024-36105

Name of the Vulnerable Software and Affected Versions dbt-core versions prior to 1.6.15 dbt-core versions prior to 1.7.15 dbt-core versions prior to 1.8.1

Description The issue arises from binding to INADDR ANY (0.0.0.0) or IN6ADDR ANY (::), which exposes the application on all network interfaces, increasing the risk of unauthorized access. According to the Python documentation, a special form for address is accepted instead of a host address: represents `INADDR ANY`, equivalent to "0.0.0.0". On systems with IPv6, represents IN6ADDR ANY, which is equivalent to "::". A user serving docs on an unsecured public network may unknowingly host an unsecured (http) web site for any remote user/system to access on the same network.

Recommendations For dbt-core versions prior to 1.6.15, update to version 1.6.15 or later. For dbt-core versions prior to 1.7.15, update to version 1.7.15 or later. For dbt-core versions prior to 1.8.1, update to version 1.8.1 or later. As a temporary workaround, consider configuring dbt docs serve to bind to localhost explicitly.