CVE-2024-36105
dbt allows Binding to an Unrestricted IP Address via socketsocket
描述
### Summary Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. While doing some static analysis and code inspection, I found the following code binding a socket to `INADDR_ANY` by passing `""` as the address. This effectively binds to any network interface on the local system, not just localhost (127.0.0.1). ### Details As stated in the Python docs, a special form for address is accepted instead of a host address: `''` represents `INADDR_ANY`, equivalent to `"0.0.0.0"`. On systems with IPv6, '' represents `IN6ADDR_ANY`, which is equivalent to `"::"`. https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39 The text around this code also imply the intention is to host docs only on localhost. ### PoC To recreate, run the docs ServeTask.run() to stand up the HTTP server. Then run `netstat` to see what addresses this process is bound. ### Impact A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. Further references: https://docs.python.org/3/library/socket.html#socket-families https://docs.securesauce.dev/rules/PY030 https://cwe.mitre.org/data/definitions/1327.html ### Patches The issue has has been mitigated in [dbt-core v1.6.15](https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15), [dbt-core v1.7.15](https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15), and [dbt-core v1.8.1](https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1) by binding to localhost explicitly by default in `dbt docs serve` (https://github.com/dbt-labs/dbt-core/issues/10209).
如何修補 CVE-2024-36105
要修補 CVE-2024-36105,請將受影響套件升級到下列已修補版本。
- —升級至 1.6.15 或更新版本
CVE-2024-36105 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.6.15