oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection

From: Hanno Böck <hanno () hboeck de>
Date: Sun, 6 Apr 2025 10:37:49 +0200
Hello,

On Fri, 04 Apr 2025 18:54:21 +0000
Elad Kalif <eladkal () apache org> wrote:


https://github.com/apache/airflow/pull/48098


If I read this code correctly, the only thing this PR changes is to
reject inputs with an ";" character.
I am not familiar with the codebase, and also by no means an expert in
SQL injections. But I am pretty sure there are ways to exploit SQL
injections that do not involve a ";" character.

Can anyone familiar with the issue check that this is indeed a proper
fix?


-- 
Hanno Böck
https://hboeck.de/
Previous By Date Next
Previous By Thread Next

Current thread: