CVE-2025-27018

Опубликовано: 19 мар. 2025

Источник: nvd

CVSS3: 6.3

EPSS Низкий

Описание

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider.

When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0.

Users are recommended to upgrade to version 6.2.0, which fixes the issue.

Ссылки

https://github.com/apache/airflow/pull/47254
Issue Tracking
https://github.com/apache/airflow/pull/47255
Issue Tracking
https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzf
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/19/4
Mailing List

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:apache-airflow-providers-mysql:*:*:*:*:*:*:*:*

Версия до 6.2.0 (исключая)

EPSS

Процентиль: 56%

0.00333

Низкий

6.3 Medium

CVSS3

Дефекты

CWE-89

Связанные уязвимости

GHSA-hhm6-jjf4-6pm3