CVE-2024-36105: dbt allows Binding to an Unrestricted IP Address via socketsocket
Binding to INADDR_ANY (0.0.0.0) or IN6ADDR_ANY (::) exposes an application on all network interfaces, increasing the risk of unauthorized access.
While doing some static analysis and code inspection, I found the following code binding a socket to INADDR_ANY by passing "" as the address. This effectively binds to any network interface on the local system, not just localhost (127.0.0.1).
References
- cwe.mitre.org/data/definitions/1327.html
- docs.python.org/3/library/socket.html
- docs.securesauce.dev/rules/PY030
- github.com/advisories/GHSA-pmrx-695r-4349
- github.com/dbt-labs/dbt-core
- github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py
- github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7
- github.com/dbt-labs/dbt-core/issues/10209
- github.com/dbt-labs/dbt-core/pull/10208
- github.com/dbt-labs/dbt-core/releases/tag/v1.6.15
- github.com/dbt-labs/dbt-core/releases/tag/v1.7.15
- github.com/dbt-labs/dbt-core/releases/tag/v1.8.1
- github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349
- nvd.nist.gov/vuln/detail/CVE-2024-36105
Code Behaviors & Features
Detect and mitigate CVE-2024-36105 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →