Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
dbt-common: commonprefix() doesn't protect against path traversal
Vulnerability Description
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
CVSS Information
N/A
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
dbt-common 路径遍历漏洞
Vulnerability Description
dbt-common是dbt Labs开源的一个数据构建工具共享的公共工具库。 dbt-common 1.34.2之前版本和1.37.3之前版本存在路径遍历漏洞,该漏洞源于safe_extract函数使用os.path.commonprefix进行路径验证,可能导致路径遍历攻击。
CVSS Information
N/A
Vulnerability Type
N/A