{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29790", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.900Z", "datePublished": "2026-03-06T20:37:42.354Z", "dateUpdated": "2026-03-09T20:54:30.453Z"}, "containers": {"cna": {"title": "dbt-common: commonprefix() doesn't protect against path traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj"}, {"name": "https://github.com/pypa/pip/pull/13777", "tags": ["x_refsource_MISC"], "url": "https://github.com/pypa/pip/pull/13777"}, {"name": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709"}], "affected": [{"vendor": "dbt-labs", "product": "dbt-common", "versions": [{"version": "< 1.37.3", "status": "affected"}, {"version": "< 1.34.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T20:37:42.354Z"}, "descriptions": [{"lang": "en", "value": "dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3."}], "source": {"advisory": "GHSA-w75w-9qv4-j5xj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29790", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:50:37.998764Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:30.453Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29790", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:50:37.998764Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:51:44.447Z"}}], "cna": {"title": "dbt-common: commonprefix() doesn't protect against path traversal", "source": {"advisory": "GHSA-w75w-9qv4-j5xj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "dbt-labs", "product": "dbt-common", "versions": [{"status": "affected", "version": "< 1.37.3"}, {"status": "affected", "version": "< 1.34.2"}]}], "references": [{"url": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj", "name": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pypa/pip/pull/13777", "name": "https://github.com/pypa/pip/pull/13777", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709", "name": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T20:37:42.354Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29790", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:30.453Z", "dateReserved": "2026-03-04T16:26:02.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T20:37:42.354Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*", "matchCriteriaId": "91D5F6A6-AA8F-4F03-B786-EF7209FC3AA5", "versionEndExcluding": "1.34.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*", "matchCriteriaId": "552E0425-7675-4ACC-8F4C-AC56646A119D", "versionEndExcluding": "1.37.3", "versionStartIncluding": "1.35.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3."}, {"lang": "es", "value": "dbt-common son las utilidades comunes compartidas que utilizan las implementaciones de dbt-core y adaptadores. Antes de las versiones 1.34.2 y 1.37.3, una vulnerabilidad de salto de ruta existe en la funci\u00f3n safe_extract() de dbt-common utilizada al extraer archivos tarball. La funci\u00f3n usa os.path.commonprefix() para validar que los archivos extra\u00eddos permanezcan dentro del directorio de destino previsto. Sin embargo, commonprefix() compara rutas car\u00e1cter por car\u00e1cter en lugar de por componentes de ruta, permitiendo que un tarball malicioso escriba archivos en directorios hermanos con prefijos de nombre coincidentes. Este problema ha sido parcheado en las versiones 1.34.2 y 1.37.3."}], "id": "CVE-2026-29790", "lastModified": "2026-03-13T18:31:00.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-06T21:16:15.630", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709"}, {"source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj"}, {"source": "[email protected]", "tags": ["Issue Tracking"], "url": "https://github.com/pypa/pip/pull/13777"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.37.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.34.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dbt-common", "source": "cna", "vendor": "dbt-labs"}, "product": "dbt-common", "vendor": "dbt-labs"}], "created": "2026-03-09T10:06:59.209781+00:00", "updated": "2026-03-09T10:06:59.209860+00:00", "vendors": ["dbt-labs", "dbt-labs$PRODUCT$dbt-common"]}