Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output
Vulnerability Description
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an existing comment indicating that a docs issue has already been opened. The output steps.issue_comment.outputs.comment-body is then interpolated directly into a bash if statement. Because comment-body is attacker-controlled text and is inserted into shell syntax without escaping, a malicious comment body can break out of the quoted string and inject arbitrary shell commands. This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9.
CVSS Information
N/A
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
dbt 操作系统命令注入漏洞
Vulnerability Description
dbt是dbt Labs开源的一个数据转写工具。 dbt存在操作系统命令注入漏洞,该漏洞源于将攻击者控制的文本直接插入shell语法而未转义,可能导致注入任意shell命令。
CVSS Information
N/A
Vulnerability Type
N/A