CVE-2024-36105: 
Python vulnerability analysis and mitigation

CVE-2024-36105 affects dbt-core versions prior to 1.6.15, 1.7.15, and 1.8.1. The vulnerability involves binding to INADDR_ANY (0.0.0.0) or IN6ADDR_ANY (::) in the dbt docs serve functionality, which exposes the application on all network interfaces, increasing the risk of unauthorized access (GitHub Advisory).

The vulnerability stems from using an empty string ('') as the host address in the socket binding configuration, which is equivalent to INADDR_ANY (0.0.0.0) for IPv4 and IN6ADDR_ANY (::) for IPv6 systems. This behavior is documented in Python's socket implementation where an empty string represents binding to all network interfaces (Python Docs). The issue was identified in the dbt/task/docs/serve.py file where the TCP server was configured to bind to all interfaces (GitHub Code). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

When a user serves docs on an unsecured public network, they may unknowingly be hosting an unsecured (HTTP) website accessible to any remote user or system on the same network. This exposure could lead to unauthorized access to documentation and potential information disclosure (GitHub Advisory).

The issue has been fixed in dbt-core versions 1.6.15, 1.7.15, and 1.8.1 by explicitly binding to localhost (127.0.0.1) by default in the dbt docs serve functionality. Users should upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).

The community has noted that while the fix improves security, it has affected some deployment scenarios, particularly in Kubernetes environments where binding to localhost prevents readiness checks from passing. As a result, there are ongoing discussions about adding a --host flag to allow configurable binding addresses while maintaining localhost as the secure default (GitHub PR).