GMS-2023-5825: dbt-core's secret env vars written to package-lock.json in plaintext

December 8, 2023

Impact

When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file.

Patches

The bug has been fixed in dbt-core v1.7.3.

Mitigations

Remove any git URLs with plaintext secrets from package-lock.yml file(s) on servers, workstations, or in source control. Rotate any tokens that have been written to version-controlled files.

References

github.com/advisories/GHSA-j4g3-3q8x-jxqp
github.com/dbt-labs/dbt-core/commit/09f5bb3dcffeda7a60ad2b22c2891f237628ecd1
github.com/dbt-labs/dbt-core/releases/tag/v1.7.3
github.com/dbt-labs/dbt-core/security/advisories/GHSA-j4g3-3q8x-jxqp

Code Behaviors & Features

Detect and mitigate GMS-2023-5825 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →