dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory.
However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
Low
Basic privileges needed
User Interaction
Active
User action required
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Getdbt Dbt-Common
cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*
|
— |
1.34.2
|
|
Getdbt Dbt-Common
cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*
|
1.35.0
|
1.37.3
|