PT-2024-28956 · Dbt · Dbt
Brabster
·
Published
2024-07-16
·
Updated
2025-10-07
·
CVE-2024-40637
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
dbt versions prior to 1.6.14
dbt versions prior to 1.7.14
dbt versions prior to 1.8.0
Description
The issue allows a malicious package to override core components of dbt with harmful code when installed. This is due to the design of dbt, which permits packages to extend and customize its functionality. There are no known workarounds for this issue.
Recommendations
For versions prior to 1.6.14, update to version 1.6.14 and set
flags.require explicit package overrides for builtin materializations: False in the configuration in dbt project.yml.
For versions prior to 1.7.14, update to version 1.7.14 and set flags.require explicit package overrides for builtin materializations: False in the configuration in dbt project.yml.
For versions prior to 1.8.0, update to version 1.8.0.Exploit
Fix
SQL injection
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Dbt