{"id":14275,"date":"2024-07-02T11:12:16","date_gmt":"2024-07-02T10:12:16","guid":{"rendered":"https:\/\/ee.yelkdev.site\/?p=14275"},"modified":"2024-12-09T14:59:42","modified_gmt":"2024-12-09T14:59:42","slug":"are-you-at-risk-from-this-critical-dbt-vulnerability","status":"publish","type":"post","link":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/","title":{"rendered":"Are you at risk from this critical dbt vulnerability?"},"content":{"rendered":"<p><strong>A newly discovered critical security vulnerability in the dbt ecosystem\u00a0<\/strong><\/p>\n<p>UPDATE 17th July 2024:\u00a0<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-40637\" target=\"_blank\" rel=\"noopener noreferrer\" data-stringify-link=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-40637\" data-sk=\"tooltip_parent\">CVE-2024-40637<\/a>\u00a0assigned and noted in\u00a0<a href=\"https:\/\/github.com\/dbt-labs\/dbt-core\/security\/advisories\/GHSA-p3f3-5ccg-83xq\" target=\"_blank\" rel=\"noopener noreferrer\" data-stringify-link=\"https:\/\/github.com\/dbt-labs\/dbt-core\/security\/advisories\/GHSA-p3f3-5ccg-83xq\" data-sk=\"tooltip_parent\">GitHub<\/a>.<br \/>\nCVSS score 4.2.<\/p>\n<p>Today we\u2019re sharing news of a critical security vulnerability that affects users of the dbt package ecosystem. This vulnerability, which I discovered with <a href=\"https:\/\/www.linkedin.com\/in\/michalczerwinski\/\">Michal Czerwinski<\/a>, highlights the challenges our industry faces around the security of new software package supply chains. We responsibly disclosed our concerns to <a href=\"https:\/\/www.getdbt.com\/\">dbt Labs<\/a>, who accepted the vulnerability and have implemented mitigations.<\/p>\n<h2>Understanding the vulnerability<\/h2>\n<p>The dbt tool is widely used to transform data within data warehouses. It allows data analysts and engineers to write modular SQL queries, which can be used in data pipelines.<\/p>\n<p>dbt\u2019s power and flexibility has made it a popular choice in the analytics engineering space, but that same flexibility also introduces significant risks. Because dbt brings its own ecosystem of software packages, the core of this vulnerability is the trust model inherent in software supply chains.<\/p>\n<p>The potential impact of this vulnerability is severe. An attacker could:<\/p>\n<ol>\n<li aria-level=\"1\"><strong>Manipulate data:<\/strong> alter or delete data, leading to data integrity issues<\/li>\n<li aria-level=\"1\"><strong>Exfiltrate data:<\/strong> extract sensitive information from or change permissions in the database<\/li>\n<\/ol>\n<blockquote><p><em>&#8220;During a threat assessment for one of our clients, we encountered several security concerns. As I explored how to securely expose the DBT ecosystem to our developers, it became clear that there are significant challenges in addressing software supply chain security within the current DBT module ecosystem.&#8221; \u2013 Michal Czerwinski<\/em><\/p><\/blockquote>\n<p>When users install dbt packages from sources other than dbt Labs, they trust that these packages perform the advertised function and nothing more. In affected versions, the new vulnerability abuses the way dbt generates SQL, allowing a malicious dbt package to execute SQL injection attacks without any user interaction. An attacker could craft a dbt package that, once installed, could change, exfiltrate, or delete data within the victim database. We believe this vulnerability affects both dbt-core and the dbt Cloud hosted service.<\/p>\n<p>We should note that dbt packages are not Python packages. They are a part of a dbt-specific package ecosystem that is largely unknown to the infosec community. Software Composition Analysis (SCA) tools like <a href=\"https:\/\/safetycli.com\/product\/safety-cli\">safetycli<\/a> and <a href=\"https:\/\/snyk.io\/\">Snyk<\/a> can, along with Static Application Security Testing (SAST), scan third party and transient dependencies, alerting users to known vulnerabilities they might be exposed to.<\/p>\n<p><strong>This is a critical blind spot for users who depend on such tooling to inform them of vulnerabilities they are exposed to.<\/strong><\/p>\n<h2>Simple example: exfiltrating at scale on Google Cloud via dbt<\/h2>\n<p>Here\u2019s a simple exploit we crafted to demonstrate the problem. An attacker creates a malicious dbt package that copies your data out of Google BigQuery in the background whilst performing its advertised function.<\/p>\n<img decoding=\"async\" class=\"alignnone wp-image-14278 size-full\" src=\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png\" alt=\"\" width=\"1600\" height=\"770\" srcset=\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png 1600w, https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9-300x144.png 300w, https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9-1200x578.png 1200w, https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9-768x370.png 768w, https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9-1536x739.png 1536w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/>\n<p>The attacker creates a project named \u201cmyco_example_project\u201d in Google Cloud, and creates a dataset \u201cexample_dataset\u201d inside. This dataset is shared with public Data Editor permissions, so a table can be created in this dataset, and data copied into it from anywhere.<\/p>\n<p>The attacker also creates or compromises a dbt package and publishes that in a public GitHub repository and <a href=\"https:\/\/hub.getdbt.com\/\">dbt Hub<\/a>, whilst also deploying marketing to tempt or trick unsuspecting victims into installing it. As with most such ecosystems, <a href=\"https:\/\/docs.getdbt.com\/docs\/build\/packages#hub-packages-recommended\">the dbt Hub documentation explicitly states that they do not \u201ccertify or confirm the \u2026 security of any Packages\u201d<\/a>, as <a href=\"https:\/\/hub.getdbt.com\/disclaimer\/\">reiterated in the disclaimer<\/a>. It is for the consumer to accept the risk of installing a specific package.<\/p>\n<p>Within our exploit package\u2019s directory structure is an innocuous-looking file \u201cmacros\/example.sql\u201d, starting with the following Jinja macro text:<\/p>\n<img decoding=\"async\" class=\"alignnone wp-image-14277 size-full\" src=\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcD34lt1_f_P-yMzDfbyVakahhOyc6CLK535nE2KE6bw1LwTXqBof_HF14tHxPOVh94UCj4x3p-G2mvPsE84mypMzveFzIewQtWTGpIMENZeGNJxS3cmbUjJFnHCXFHBAFIqpX6E7rZbgbFdvpUKHShwoo.png\" alt=\"\" width=\"651\" height=\"280\" srcset=\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcD34lt1_f_P-yMzDfbyVakahhOyc6CLK535nE2KE6bw1LwTXqBof_HF14tHxPOVh94UCj4x3p-G2mvPsE84mypMzveFzIewQtWTGpIMENZeGNJxS3cmbUjJFnHCXFHBAFIqpX6E7rZbgbFdvpUKHShwoo.png 651w, https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcD34lt1_f_P-yMzDfbyVakahhOyc6CLK535nE2KE6bw1LwTXqBof_HF14tHxPOVh94UCj4x3p-G2mvPsE84mypMzveFzIewQtWTGpIMENZeGNJxS3cmbUjJFnHCXFHBAFIqpX6E7rZbgbFdvpUKHShwoo-300x129.png 300w\" sizes=\"(max-width: 651px) 100vw, 651px\" \/>\n<p>An unsuspecting victim installs the package from GitHub or dbt Hub. With no further interaction, they execute `dbt run` as usual, or it is run by their automation.<\/p>\n<p>In affected versions of dbt, this macro is run silently in place of the legitimate and <a href=\"https:\/\/docs.getdbt.com\/docs\/trusted-adapters\">trusted BigQuery adapter\u2019s version<\/a>. <strong>The contents of whatever `SELECT *` produces against this model (and for each of the set of models included in the run) is copied into a new table in the attacker\u2019s dataset in seconds.<\/strong> Evidence of the exfiltration would only be present in the dbt log files and GCP audit logging, neither of which would, by default, proactively alert the victim of the attack.<\/p>\n<h2>How to mitigate against this dbt vulnerability<\/h2>\n<p>The vendor has provided mitigations for the issue with the config flag <a href=\"https:\/\/docs.getdbt.com\/reference\/global-configs\/legacy-behaviors#package-override-for-built-in-materialization\">require_explicit_package_overrides_for_builtin_materializations<\/a>. The behaviour of this flag varies by versions of dbt core and dbt Cloud, so refer to the <a href=\"https:\/\/docs.getdbt.com\/reference\/global-configs\/legacy-behaviors\">Legacy Behaviours documentation<\/a> to understand your current position and upgrade options. We offer the following advice for any dbt users to assess and mitigate the risks posed by this vulnerability:<\/p>\n<ol>\n<li aria-level=\"1\">Explicitly set the config flag <a href=\"https:\/\/docs.getdbt.com\/reference\/global-configs\/legacy-behaviors#package-override-for-built-in-materialization\">require_explicit_package_overrides_for_builtin_materializations to True in dbt_project.yml<\/a> for all your dbt projects.<\/li>\n<li aria-level=\"1\">dbt-core versions are Python dependencies. dbt Labs have recently updated their documentation to <a href=\"https:\/\/docs.getdbt.com\/docs\/dbt-versions\/core\">making a strong recommendation to keep versions up-to-date<\/a>. Ensure dbt-core versions are actively updated to the latest versions as these fixes become available, including in <a href=\"https:\/\/docs.getdbt.com\/docs\/dbt-versions\/upgrade-dbt-version-in-cloud\">dbt Cloud<\/a>.<\/li>\n<li aria-level=\"1\">Review dbt package usage in your organisation. Ensure packages are obtained from trusted sources like dbt vendor itself, check that the value of a package outweighs the risk.<\/li>\n<li aria-level=\"1\">Ensure software dependencies are being scanned for known vulnerabilities, and that you have a vulnerability management process in place to respond to any alarms.<\/li>\n<li aria-level=\"1\">Review and minimise permissions that dbt is run with for human and unattended workloads.<\/li>\n<li aria-level=\"1\">Review the controls you have in place in your infrastructure that prevent transfer of data outside your organisational boundaries.<\/li>\n<\/ol>\n<p>These assessments and mitigations can prove challenging to undertake in practice. Equal Experts has published a <a href=\"https:\/\/playbooks.equalexperts.com\/secure-delivery-playbook\">Secure Delivery Playbook with lots of advice for applying security principles<\/a>. I\u2019ve also shared the practices I follow to <a href=\"https:\/\/tempered.works\/posts\/2024\/05\/01\/how-i-do-python-data-supply-chain-security\/#assessing-dependency-risk\">assess the risk a package represents<\/a> and to <a href=\"https:\/\/tempered.works\/posts\/2024\/05\/01\/how-i-do-python-data-supply-chain-security\/#updating-dependencies-automatically\">automatically update dependencies without causing chaos in my teams<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt. Here\u2019s what you need to know, and how to mitigate against the risks. <\/p>\n","protected":false},"author":168,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[3],"tags":[460,226,458,459],"location":[397],"class_list":["post-14275","post","type-post","status-publish","format-standard","hentry","category-tech-focus","tag-data-transformation","tag-dbt","tag-supply-chain","tag-vulnerability"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Are you at risk from this critical dbt vulnerability? | Equal Experts<\/title>\n<meta name=\"description\" content=\"EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Are you at risk from this critical dbt vulnerability?\" \/>\n<meta property=\"og:description\" content=\"EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt. Here\u2019s what you need to know, and how to mitigate against the risks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"Equal Experts\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-02T10:12:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-12-09T14:59:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/dbt-issue-FACEBOOK.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Paul Brabban\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:description\" content=\"EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt. Here\u2019s what you need to know, and how to mitigate against the risks.\" \/>\n<meta name=\"twitter:creator\" content=\"@EqualExperts\" \/>\n<meta name=\"twitter:site\" content=\"@EqualExperts\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Paul Brabban\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/\"},\"author\":{\"name\":\"Paul Brabban\",\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/person\/ad309d5a8484849a75e1bdd9fe56878c\"},\"headline\":\"Are you at risk from this critical dbt vulnerability?\",\"datePublished\":\"2024-07-02T10:12:16+00:00\",\"dateModified\":\"2024-12-09T14:59:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/\"},\"wordCount\":987,\"publisher\":{\"@id\":\"https:\/\/www.equalexperts.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png\",\"keywords\":[\"data transformation\",\"dbt\",\"supply chain\",\"vulnerability\"],\"articleSection\":[\"Tech Focus\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/\",\"url\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/\",\"name\":\"Are you at risk from this critical dbt vulnerability? | Equal Experts\",\"isPartOf\":{\"@id\":\"https:\/\/www.equalexperts.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png\",\"datePublished\":\"2024-07-02T10:12:16+00:00\",\"dateModified\":\"2024-12-09T14:59:42+00:00\",\"description\":\"EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#primaryimage\",\"url\":\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png\",\"contentUrl\":\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png\",\"width\":1600,\"height\":770},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.equalexperts.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Are you at risk from this critical dbt vulnerability?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.equalexperts.com\/#website\",\"url\":\"https:\/\/www.equalexperts.com\/\",\"name\":\"Equal Experts\",\"description\":\"Making Software. Better.\",\"publisher\":{\"@id\":\"https:\/\/www.equalexperts.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.equalexperts.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.equalexperts.com\/#organization\",\"name\":\"Equal Experts\",\"url\":\"https:\/\/www.equalexperts.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/08\/Equal_Experts_Logo_CMYK_Colour.jpg\",\"contentUrl\":\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/08\/Equal_Experts_Logo_CMYK_Colour.jpg\",\"width\":719,\"height\":340,\"caption\":\"Equal Experts\"},\"image\":{\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/EqualExperts\",\"https:\/\/www.linkedin.com\/company\/equal-experts\/?viewAsMember=true\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/person\/ad309d5a8484849a75e1bdd9fe56878c\",\"name\":\"Paul Brabban\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a3520a00b97202664d60d70e71cb1aa5e1de19cd19a34f37d5622a973493db53?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a3520a00b97202664d60d70e71cb1aa5e1de19cd19a34f37d5622a973493db53?s=96&d=mm&r=g\",\"caption\":\"Paul Brabban\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Are you at risk from this critical dbt vulnerability? | Equal Experts","description":"EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/","og_locale":"en_GB","og_type":"article","og_title":"Are you at risk from this critical dbt vulnerability?","og_description":"EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt. Here\u2019s what you need to know, and how to mitigate against the risks.","og_url":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/","og_site_name":"Equal Experts","article_published_time":"2024-07-02T10:12:16+00:00","article_modified_time":"2024-12-09T14:59:42+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/dbt-issue-FACEBOOK.jpg","type":"image\/jpeg"}],"author":"Paul Brabban","twitter_card":"summary_large_image","twitter_description":"EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt. Here\u2019s what you need to know, and how to mitigate against the risks.","twitter_creator":"@EqualExperts","twitter_site":"@EqualExperts","twitter_misc":{"Written by":"Paul Brabban","Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#article","isPartOf":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/"},"author":{"name":"Paul Brabban","@id":"https:\/\/www.equalexperts.com\/#\/schema\/person\/ad309d5a8484849a75e1bdd9fe56878c"},"headline":"Are you at risk from this critical dbt vulnerability?","datePublished":"2024-07-02T10:12:16+00:00","dateModified":"2024-12-09T14:59:42+00:00","mainEntityOfPage":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/"},"wordCount":987,"publisher":{"@id":"https:\/\/www.equalexperts.com\/#organization"},"image":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png","keywords":["data transformation","dbt","supply chain","vulnerability"],"articleSection":["Tech Focus"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/","url":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/","name":"Are you at risk from this critical dbt vulnerability? | Equal Experts","isPartOf":{"@id":"https:\/\/www.equalexperts.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#primaryimage"},"image":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png","datePublished":"2024-07-02T10:12:16+00:00","dateModified":"2024-12-09T14:59:42+00:00","description":"EE team members Paul Brabban and Michal Czerwinski recently discovered a critical new security vulnerability in dbt.","breadcrumb":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#primaryimage","url":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png","contentUrl":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2024\/07\/AD_4nXcCQu296yDYOsDS7S9lQI567Nf68FqOIQW7g5VymImby-NNZCJQqZasQme4hMF_Xfmy0L1wrEJN6rV7qM0w4LoTSEWh1M8ZeT_J7g6Sm_FAv0jxaGszhmwogO81JbDWHvkoO3TFb3dwPeZrXZrZZ1izlLP9.png","width":1600,"height":770},{"@type":"BreadcrumbList","@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/are-you-at-risk-from-this-critical-dbt-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.equalexperts.com\/"},{"@type":"ListItem","position":2,"name":"Are you at risk from this critical dbt vulnerability?"}]},{"@type":"WebSite","@id":"https:\/\/www.equalexperts.com\/#website","url":"https:\/\/www.equalexperts.com\/","name":"Equal Experts","description":"Making Software. Better.","publisher":{"@id":"https:\/\/www.equalexperts.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.equalexperts.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.equalexperts.com\/#organization","name":"Equal Experts","url":"https:\/\/www.equalexperts.com\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.equalexperts.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/08\/Equal_Experts_Logo_CMYK_Colour.jpg","contentUrl":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/08\/Equal_Experts_Logo_CMYK_Colour.jpg","width":719,"height":340,"caption":"Equal Experts"},"image":{"@id":"https:\/\/www.equalexperts.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/EqualExperts","https:\/\/www.linkedin.com\/company\/equal-experts\/?viewAsMember=true"]},{"@type":"Person","@id":"https:\/\/www.equalexperts.com\/#\/schema\/person\/ad309d5a8484849a75e1bdd9fe56878c","name":"Paul Brabban","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.equalexperts.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/a3520a00b97202664d60d70e71cb1aa5e1de19cd19a34f37d5622a973493db53?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a3520a00b97202664d60d70e71cb1aa5e1de19cd19a34f37d5622a973493db53?s=96&d=mm&r=g","caption":"Paul Brabban"}}]}},"_links":{"self":[{"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/posts\/14275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/users\/168"}],"replies":[{"embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/comments?post=14275"}],"version-history":[{"count":0,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/posts\/14275\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/media?parent=14275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/categories?post=14275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/tags?post=14275"},{"taxonomy":"location","embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/location?post=14275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}