Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN152

_____________________________________________________________________

DATE                : 19/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow MySQL Provider
                             versions prior to 6.2.0.

=====================================================================
https://lists.apache.org/thread/2rjd6734ongf14xo2hllhppo1cy3t3nv
_____________________________________________________________________

CVE-2025-27018: Apache Airflow MySQL Provider: SQL injection in MySQL
provider core function


Severity: low

Affected versions:

- Apache Airflow MySQL Provider before 6.2.0

Description:

Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection') vulnerability in Apache Airflow MySQL Provider.

When user triggered a DAG with dump_sql or load_sql functions they
could pass a table parameter from a UI, that could cause SQL
injection by running SQL that was not intended.

It could lead to data corruption, modification and others.
This issue affects Apache Airflow MySQL Provider: before 6.2.0.

Users are recommended to upgrade to version 6.2.0, which fixes
the issue.


Credit:

Vincent55 (DEVCORE Internship Program) (finder)


References:

https://github.com/apache/airflow/pull/47254
https://github.com/apache/airflow/pull/47255
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27018


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================