Veracode Vulnerability DatabaseVERACODE:47238Binding To An Unrestricted IP Address
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
13.1%
dbt-core is vulnerable to Binding to an Unrestricted IP Address. The vulnerability is due to the binding of INADDR_ANY or IN6ADDR_ANY to any network interface on the local system (not just localhost), which exposes the application on all network interfaces. An attacker can gain unauthorized access by connecting to the application from any network interface.
References
cwe.mitre.org/data/definitions/1327.html
docs.python.org/3/library/socket.html#socket-families
docs.securesauce.dev/rules/PY030
github.com/advisories/GHSA-pmrx-695r-4349
github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39
github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7
github.com/dbt-labs/dbt-core/issues/10209
github.com/dbt-labs/dbt-core/pull/10208
github.com/dbt-labs/dbt-core/releases/tag/v1.6.15
github.com/dbt-labs/dbt-core/releases/tag/v1.7.15
github.com/dbt-labs/dbt-core/releases/tag/v1.8.1
github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
13.1%