Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/dbt-core@0.17.0rc3

Type pypi

Namespace

Name dbt-core

Version 0.17.0rc3

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.6.15

Latest_non_vulnerable_version 1.8.1

Affected_by_vulnerabilities

url VCID-8ua2-19er-1fgy

vulnerability_id VCID-8ua2-19er-1fgy

summary dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: `''` represents `INADDR_ANY`, equivalent to `"0.0.0.0"`. On systems with IPv6, '' represents `IN6ADDR_ANY`, which is equivalent to `"::"`. A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in `dbt docs serve`.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-36105

reference_id

reference_type

scores

value	0.00265
scoring_system	epss
scoring_elements	0.50392
published_at	2026-06-12T12:55:00Z

value	0.00265
scoring_system	epss
scoring_elements	0.50257
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-36105

reference_url

https://github.com/dbt-labs/dbt-core

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/dbt-labs/dbt-core

reference_url

https://github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7

reference_id

0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7

reference_url

https://github.com/dbt-labs/dbt-core/pull/10208

reference_id

10208

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://github.com/dbt-labs/dbt-core/pull/10208

reference_url

https://github.com/dbt-labs/dbt-core/issues/10209

reference_id

10209

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://github.com/dbt-labs/dbt-core/issues/10209

reference_url

https://cwe.mitre.org/data/definitions/1327.html

reference_id

1327.html

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://cwe.mitre.org/data/definitions/1327.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-36105

reference_id

CVE-2024-36105

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-36105

reference_url

https://github.com/advisories/GHSA-pmrx-695r-4349

reference_id

GHSA-pmrx-695r-4349

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-pmrx-695r-4349

reference_url

https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349

reference_id

GHSA-pmrx-695r-4349

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349

reference_url

https://docs.securesauce.dev/rules/PY030

reference_id

PY030

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://docs.securesauce.dev/rules/PY030

reference_url

https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39

reference_id

serve.py#L23C38-L23C39

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39

reference_url

https://docs.python.org/3/library/socket.html#socket-families

reference_id

socket.html#socket-families

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://docs.python.org/3/library/socket.html#socket-families

reference_url

https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15

reference_id

v1.6.15

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15

reference_url

https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15

reference_id

v1.7.15

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15

reference_url

https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1

reference_id

v1.8.1

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:52:53Z/

url

https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1

fixed_packages

url	pkg:pypi/dbt-core@1.6.15
purl	pkg:pypi/dbt-core@1.6.15
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/dbt-core@1.6.15

url	pkg:pypi/dbt-core@1.7.15
purl	pkg:pypi/dbt-core@1.7.15
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/dbt-core@1.7.15

url	pkg:pypi/dbt-core@1.8.1
purl	pkg:pypi/dbt-core@1.8.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/dbt-core@1.8.1

aliases CVE-2024-36105, GHSA-pmrx-695r-4349

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8ua2-19er-1fgy

url VCID-gbmk-13y4-rkgg

vulnerability_id VCID-gbmk-13y4-rkgg

summary dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set `flags.require_explicit_package_overrides_for_builtin_materializations: False` in their configuration in `dbt_project.yml`.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-40637

reference_id

reference_type

scores

value	0.00124
scoring_system	epss
scoring_elements	0.31381
published_at	2026-06-12T12:55:00Z

value	0.00124
scoring_system	epss
scoring_elements	0.31188
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-40637

reference_url

https://github.com/dbt-labs/dbt-core

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/dbt-labs/dbt-core

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/dbt-core/PYSEC-2024-66.yaml

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/dbt-core/PYSEC-2024-66.yaml

reference_url

https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6

reference_id

3c82a0296d227cb1be295356df314c11716f4ff6

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T14:33:07Z/

url

https://github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6

reference_url

https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624

reference_id

87ac4deb00cc9fe334706e42a365903a1d581624

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T14:33:07Z/

url

https://github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624

reference_url

https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies

reference_id

are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T14:33:07Z/

url

https://www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies

reference_url

https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability

reference_id

are-you-at-risk-from-this-critical-dbt-vulnerability

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T14:33:07Z/

url

https://www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-40637

reference_id

CVE-2024-40637

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-40637

reference_url

https://github.com/advisories/GHSA-p3f3-5ccg-83xq

reference_id

GHSA-p3f3-5ccg-83xq

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p3f3-5ccg-83xq

reference_url

https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq

reference_id

GHSA-p3f3-5ccg-83xq

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T14:33:07Z/

url

https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq

reference_url

https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flags

reference_id

legacy-behaviors#behavior-change-flags

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T14:33:07Z/

url

https://docs.getdbt.com/reference/global-configs/legacy-behaviors#behavior-change-flags

reference_url

https://docs.getdbt.com/docs/build/packages

reference_id

packages

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T14:33:07Z/

url

https://docs.getdbt.com/docs/build/packages

reference_url

https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls

reference_id

preventing-data-theft-with-gcp-service-controls

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	2.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T14:33:07Z/

url

https://tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls

fixed_packages

url pkg:pypi/dbt-core@1.6.14

purl pkg:pypi/dbt-core@1.6.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8ua2-19er-1fgy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/dbt-core@1.6.14

url pkg:pypi/dbt-core@1.7.14

purl pkg:pypi/dbt-core@1.7.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8ua2-19er-1fgy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/dbt-core@1.7.14

aliases CVE-2024-40637, GHSA-p3f3-5ccg-83xq, PYSEC-2024-66

risk_score 3.5

exploitability 0.5

weighted_severity 7.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gbmk-13y4-rkgg

Fixing_vulnerabilities

Risk_score 3.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/dbt-core@0.17.0rc3

Package Instance