GHSA-j4g3-3q8x-jxqp

Опубликовано: 08 дек. 2023

Источник: github

Github: Прошло ревью

CVSS3: 3.2

Описание

dbt-core's secret env vars written to package-lock.json in plaintext

Impact

When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file.

Patches

The bug has been fixed in dbt-core v1.7.3.

Mitigations

Remove any git URLs with plaintext secrets from package-lock.yml file(s) on servers, workstations, or in source control. Rotate any tokens that have been written to version-controlled files.

Ссылки

https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-j4g3-3q8x-jxqp
https://github.com/dbt-labs/dbt-core/commit/09f5bb3dcffeda7a60ad2b22c2891f237628ecd1
https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.3

Пакеты

Наименование

dbt-core

pip

Затронутые версииВерсия исправления

>= 1.7.0, < 1.7.3

1.7.3

3.2 Low

CVSS3

Дефекты

CWE-315

3.2 Low

CVSS3

Дефекты

CWE-315