Headline
GHSA-j4g3-3q8x-jxqp: dbt-core's secret env vars written to package-lock.json in plaintext
Impact
When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file.
Patches
The bug has been fixed in dbt-core v1.7.3.
Mitigations
Remove any git URLs with plaintext secrets from package-lock.yml file(s) on servers, workstations, or in source control. Rotate any tokens that have been written to version-controlled files.
Package
pip dbt-core (pip)
Affected versions
>= 1.7.0, < 1.7.3
Patched versions
1.7.3
Description
Impact
When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file.
Patches
The bug has been fixed in dbt-core v1.7.3.
Mitigations
Remove any git URLs with plaintext secrets from package-lock.yml file(s) on servers, workstations, or in source control. Rotate any tokens that have been written to version-controlled files.
References
- GHSA-j4g3-3q8x-jxqp
- dbt-labs/dbt-core@09f5bb3
- https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.3
jtcohen6 published to dbt-labs/dbt-core
Dec 8, 2023
Published to the GitHub Advisory Database
Dec 8, 2023
Reviewed
Dec 8, 2023
Last updated
Dec 8, 2023