{"id":"CVE-2024-36105","summary":"dbt allows Binding to an Unrestricted IP Address via socketsocket","details":"dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: `''` represents `INADDR_ANY`, equivalent to `\"0.0.0.0\"`. On systems with IPv6, '' represents `IN6ADDR_ANY`, which is equivalent to `\"::\"`. A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in `dbt docs serve`.\n","aliases":["GHSA-pmrx-695r-4349"],"modified":"2026-04-10T05:14:10.096773Z","published":"2024-05-27T17:17:39.875Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-1327"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36105.json"},"references":[{"type":"WEB","url":"https://cwe.mitre.org/data/definitions/1327.html"},{"type":"WEB","url":"https://docs.python.org/3/library/socket.html#socket-families"},{"type":"WEB","url":"https://docs.securesauce.dev/rules/PY030"},{"type":"WEB","url":"https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39"},{"type":"WEB","url":"https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.15"},{"type":"WEB","url":"https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.15"},{"type":"WEB","url":"https://github.com/dbt-labs/dbt-core/releases/tag/v1.8.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36105.json"},{"type":"ADVISORY","url":"https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-pmrx-695r-4349"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36105"},{"type":"REPORT","url":"https://github.com/dbt-labs/dbt-core/issues/10209"},{"type":"FIX","url":"https://github.com/dbt-labs/dbt-core/commit/0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7"},{"type":"FIX","url":"https://github.com/dbt-labs/dbt-core/pull/10208"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dbt-labs/dbt-core","events":[{"introduced":"0"},{"fixed":"0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7"}]},{"type":"GIT","repo":"https://github.com/dbt-labs/dbt-core","events":[{"introduced":"0"},{"fixed":"86f5cb1949769a64a841f1bdda8f963bf58d63c0"}]},{"type":"GIT","repo":"https://github.com/dbt-labs/dbt-core","events":[{"introduced":"0"},{"fixed":"72b0f86fa6f6e635b80c146f9eadee2f1b3537dd"}]},{"type":"GIT","repo":"https://github.com/dbt-labs/dbt-core","events":[{"introduced":"0"},{"fixed":"48a3a098ed120e2b921de7fa8e30452191a147e1"}]},{"type":"GIT","repo":"https://github.com/dbt-labs/dbt-core","events":[{"introduced":"0"},{"fixed":"0c08d7a19ad1740be3cb0b2e6d9d64f6537176f7"}]},{"type":"GIT","repo":"https://github.com/dbt-labs/dbt-core","events":[{"introduced":"0"},{"fixed":"86f5cb1949769a64a841f1bdda8f963bf58d63c0"}]},{"type":"GIT","repo":"https://github.com/dbt-labs/dbt-core","events":[{"introduced":"0"},{"fixed":"72b0f86fa6f6e635b80c146f9eadee2f1b3537dd"}]},{"type":"GIT","repo":"https://github.com/dbt-labs/dbt-core","events":[{"introduced":"0"},{"fixed":"48a3a098ed120e2b921de7fa8e30452191a147e1"}]}],"versions":["0.11.1","0.3.0","0.4.1","0.5.2","v0.10.0","v0.10.1","v0.11.0","v0.15.0","v0.16.0b1","v0.16.0b3","v0.18.0","v0.18.0b2","v0.18.0rc1","v0.19.0b1","v0.19.0rc1","v0.19.0rc2","v0.2.3.0","v0.20.0b1","v0.20.0rc1","v0.21.0b1","v0.4.0","v0.4.7","v0.5.0","v0.5.1","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.7.1","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.9.0","v0.9.0a1","v0.9.0a2","v0.9.1","v1.0.0b1","v1.0.0b2","v1.0.0rc1","v1.0.0rc2","v1.0.0rc3","v1.1.0b1","v1.2.0b1","v1.3.0b1","v1.3.0b2","v1.4.0b1","v1.7.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36105.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}