oss-sec mailing list archives
Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection
From: Solar Designer <solar () openwall com>
Date: Mon, 7 Apr 2025 00:09:04 +0200
On Sun, Apr 06, 2025 at 10:37:49AM +0200, Hanno Böck wrote:
On Fri, 04 Apr 2025 18:54:21 +0000 Elad Kalif <eladkal () apache org> wrote:https://github.com/apache/airflow/pull/48098If I read this code correctly, the only thing this PR changes is to reject inputs with an ";" character. I am not familiar with the codebase, and also by no means an expert in SQL injections. But I am pretty sure there are ways to exploit SQL injections that do not involve a ";" character. Can anyone familiar with the issue check that this is indeed a proper fix?
Elad doesn't appear to be subscribed (as is usual and normal for reports by Apache projects), so I am CC'ing him here. The fix does indeed look weird to me as well, but I am not familiar with the codebase, nor with the issue. Alexander
Current thread:
- CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Elad Kalif (Apr 04)
- Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Hanno Böck (Apr 06)
- Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Solar Designer (Apr 06)
- Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Jeffrey Walton (Apr 06)
- Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Hanno Böck (Apr 06)