Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-p72q-h37j-3hq7: dbt uses a SQLparse version with a high vulnerability

Summary

Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.

Details

Dependency conflict error message:

The conflict is caused by:
    The user requested sqlparse==0.5
    dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3

Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.

PoC

From Snyk:

import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)

Impact

Snyk classifies it as high 7.5/10.

Patches

The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.

Mitigations

Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively

ghsa
#sql#vulnerability#git

Summary

Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.

Details

Dependency conflict error message:

The conflict is caused by: The user requested sqlparse==0.5 dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3

Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.

PoC

From Snyk:

import sqlparse sqlparse.parse('[' * 10000 + ']' * 10000)

Impact

Snyk classifies it as high 7.5/10.

Patches

The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.

Mitigations

Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively

References

  • GHSA-p72q-h37j-3hq7
  • https://security.snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674
  • GHSA-2m57-hf25-phgg

ghsa: Latest News

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname