Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36105", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-20T21:07:48.186Z", "datePublished": "2024-05-27T17:17:39.875Z", "dateUpdated": "2024-08-21T14:20:58.463Z"}, "containers": {"cna": {"title": "dbt allows Binding to an Unrestricted IP Address via socketsocket", "problemTypes": [{"descriptions": [{"cweId": "CWE-1327", "lang": "en", "description": "CWE-1327: Binding to an Unrestricted IP Address", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349"}, {"name": "https://github.com/dbt-labs/dbt-core/issues/10209", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-core/issues/10209"}, {"name": "https://github.com/dbt-labs/dbt-core/pull/10208", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-core/pull/10208"}, {"name": "https://github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7"}, {"name": "https://cwe.mitre.org/data/definitions/1327.html", "tags": ["x_refsource_MISC"], "url": "https://cwe.mitre.org/data/definitions/1327.html"}, {"name": "https://docs.python.org/3/library/socket.html#socket-families", "tags": ["x_refsource_MISC"], "url": "https://docs.python.org/3/library/socket.html#socket-families"}, {"name": "https://docs.securesauce.dev/rules/PY030", "tags": ["x_refsource_MISC"], "url": "https://docs.securesauce.dev/rules/PY030"}, {"name": "https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39"}, {"name": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15"}, {"name": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15"}, {"name": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1"}], "affected": [{"vendor": "dbt-labs", "product": "dbt-core", "versions": [{"version": "< 1.6.15", "status": "affected"}, {"version": ">= 1.7.0, < 1.7.15", "status": "affected"}, {"version": "= 1.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-27T17:17:39.875Z"}, "descriptions": [{"lang": "en", "value": "dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: `''` represents `INADDR_ANY`, equivalent to `\"0.0.0.0\"`. On systems with IPv6, '' represents `IN6ADDR_ANY`, which is equivalent to `\"::\"`. A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in `dbt docs serve`.\n"}], "source": {"advisory": "GHSA-pmrx-695r-4349", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.980Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349"}, {"name": "https://github.com/dbt-labs/dbt-core/issues/10209", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbt-labs/dbt-core/issues/10209"}, {"name": "https://github.com/dbt-labs/dbt-core/pull/10208", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbt-labs/dbt-core/pull/10208"}, {"name": "https://github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7"}, {"name": "https://cwe.mitre.org/data/definitions/1327.html", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cwe.mitre.org/data/definitions/1327.html"}, {"name": "https://docs.python.org/3/library/socket.html#socket-families", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.python.org/3/library/socket.html#socket-families"}, {"name": "https://docs.securesauce.dev/rules/PY030", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.securesauce.dev/rules/PY030"}, {"name": "https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39"}, {"name": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15"}, {"name": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15"}, {"name": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1"}]}, {"affected": [{"vendor": "dbt-labs", "product": "dbt-core", "cpes": ["cpe:2.3:a:dbt-labs:dbt-core:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.6.15", "versionType": "custom"}, {"version": "1.7.0", "status": "affected", "lessThan": "1.7.15", "versionType": "custom"}]}, {"vendor": "dbt-labs", "product": "dbt-core", "cpes": ["cpe:2.3:a:dbt-labs:dbt-core:1.8.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.8.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-21T13:52:53.518603Z", "id": "CVE-2024-36105", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T14:20:58.463Z"}}]}} 
ReportizFlow
MITRE
Vulnrichment
NVD
Redhat