GHSA-j4g3-3q8x-jxqp: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-j4g3-3q8x-jxqp) affects dbt-core versions 1.7.0 to 1.7.3 and involves the exposure of sensitive information where Personal Access Tokens (PATs) used for accessing private repositories are written in plaintext to the package-lock.yml file. The issue was discovered and disclosed on December 8, 2023, affecting the dbt-core package distributed through pip (GitHub Advisory).

The vulnerability has been assigned a CVSS score of 3.2 (Low severity) with the following characteristics: Local attack vector, Low attack complexity, Low privileges required, User interaction Required, Changed scope, Low confidentiality impact, and No impact on integrity or availability. The CVSS string is CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N. The issue specifically occurs when dbt-core is used to pull source code from private repositories using PATs, where these tokens are inadvertently exposed in the package-lock.yml file (GitHub Advisory).

The primary impact of this vulnerability is the potential exposure of Personal Access Tokens used for accessing private repositories. When these tokens are written in plaintext to the package-lock.yml file, they could be exposed if the file is shared or stored in version control systems, potentially leading to unauthorized access to private repositories (GitHub Advisory).

The vulnerability has been patched in dbt-core version 1.7.3. Users are advised to upgrade to this version or later. For immediate mitigation, users should: 1) Remove any git URLs containing plaintext secrets from package-lock.yml files on servers, workstations, or in source control, and 2) Rotate any tokens that may have been written to version-controlled files (GitHub Advisory, Release Notes).