5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36105

GHSA ID

GHSA-pmrx-695r-4349

EPSS Score

0.4177%

CWE

CWE-1327

Published

5/28/2024

Updated

5/28/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-36105

CVE-2024-36105: dbt allows Binding to an Unrestricted IP Address via socketsocket

Summary

Binding to INADDR_ANY (0.0.0.0) or IN6ADDR_ANY (::) exposes an application on all network interfaces, increasing the risk of unauthorized access.

While doing some static analysis and code inspection, I found the following code binding a socket to INADDR_ANY by passing "" as the address. This effectively binds to any network interface on the local system, not just localhost (127.0.0.1).

Details

As stated in the Python docs, a special form for address is accepted instead of a host address: '' represents INADDR_ANY, equivalent to "0.0.0.0". On systems with IPv6, '' represents IN6ADDR_ANY, which is equivalent to "::".

https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39

The text around this code also imply the intention is to host docs only on localhost.

PoC

To recreate, run the docs ServeTask.run() to stand up the HTTP server. Then run netstat to see what addresses this process is bound.

Impact

A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network.

Further references: https://docs.python.org/3/library/socket.html#socket-families https://docs.securesauce.dev/rules/PY030 https://cwe.mitre.org/data/definitions/1327.html

Patches

The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in dbt docs serve (https://github.com/dbt-labs/dbt-core/issues/10209).

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36105

GHSA ID

GHSA-pmrx-695r-4349

EPSS Score

0.4177%

CWE

CWE-1327

Published

5/28/2024

Updated

5/28/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dbt-core	pip	< 1.6.15	1.6.15
dbt-core	pip	>= 1.7.0, < 1.7.15	1.7.15
dbt-core	pip	= 1.8.0	1.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the use of an empty string ('') in the TCPServer initialization, which binds to all interfaces. The code example in serve.py (line 23) explicitly shows this pattern. The fix in the commit replaces '' with '127.0.0.1', confirming this was the vulnerable line. The ServeTask.run() method is directly responsible for starting the server, making it the clear vulnerable function with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *in*in* to `IN***R_*NY (*.*.*.*)` or `IN****R_*NY (::)` *xpos*s *n *ppli**tion on *ll n*twork int*r****s, in*r**sin* t** risk o* un*ut*oriz** ****ss. W*il* *oin* som* st*ti* *n*lysis *n* *o** insp**tion, I *oun* t** *ollowin* *o** *in*i

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* *n *mpty strin* ('') in t** T*PS*rv*r initi*liz*tion, w*i** *in*s to *ll int*r****s. T** *o** *x*mpl* in s*rv*.py (lin* **) *xpli*itly s*ows t*is p*tt*rn. T** *ix in t** *ommit r*pl***s '' wit* '***.*.*.*', *on

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-36105: dbt allows Binding to an Unrestricted IP Address via socketsocket

Summary

Details

PoC

Impact

Patches

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI