CVE-2025-27018

Apache Airflow MySQL Provider: SQL injection in MySQL provider core function

CVSS 6.3 MEDIUMEPSS 0.8%CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Produtos afetados

Apache Software Foundation · Apache Airflow MySQL Provider

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/apache/airflow/pull/47254 https://github.com/apache/airflow/pull/47255 https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzf http://www.openwall.com/lists/oss-security/2025/03/19/4