Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN389

_____________________________________________________________________

DATE                : 25/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow Providers Snowflake
                       versions prior to 6.4.0.

=====================================================================
https://lists.apache.org/thread/ng8ldf5vw342z32g173gr9prygptjn7k
_____________________________________________________________________

CVE-2025-50213: Apache Airflow Providers Snowflake: Potential SQL
injection in CopyFromExternalStageToSnowflakeOperator


Severity: low 

Affected versions:

- Apache Airflow Providers Snowflake
(apache-airflow-providers-snowflake) before 6.4.0


Description:

Failure to Sanitize Special Elements into a Different Plane (Special
Element Injection) vulnerability in Apache Airflow Providers Snowflake.

This issue affects Apache Airflow Providers Snowflake: before 6.4.0.

Sanitation of table and stage parameters were added in
CopyFromExternalStageToSnowflakeOperator to prevent SQL injection

Users are recommended to upgrade to version 6.4.0, which fixes the
issue.


Credit:

Nhien Pham (@nhienit) at Galaxy One (finder)


References:

https://github.com/apache/airflow/pull/51734
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-50213


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================