oss-sec mailing list archives
Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection
From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 6 Apr 2025 18:59:14 -0400
On Sun, Apr 6, 2025 at 9:46 AM Hanno Böck <hanno () hboeck de> wrote:
On Fri, 04 Apr 2025 18:54:21 +0000 Elad Kalif <eladkal () apache org> wrote:https://github.com/apache/airflow/pull/48098If I read this code correctly, the only thing this PR changes is to reject inputs with an ";" character. I am not familiar with the codebase, and also by no means an expert in SQL injections. But I am pretty sure there are ways to exploit SQL injections that do not involve a ";" character. Can anyone familiar with the issue check that this is indeed a proper fix?
The code still looks vulnerable (to me). The proper fix is a Parameterized Query. But you can't bind column names, tables names or similar in a Parameterized Query. With lots of hand-waiving, you can only bind variables found in a WHERE clause. So Parameterized Query are not available in this case. The next choice is a whitelist of names for the partition. That would mostly fix the injection issue, but leave some residual risk since the attacker still controls the partition name. But the attacker can only select a whitelisted name. And I could be completely sideways since I don't use Apache Airflow. Jeff
Current thread:
- CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Elad Kalif (Apr 04)
- Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Hanno Böck (Apr 06)
- Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Solar Designer (Apr 06)
- Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Jeffrey Walton (Apr 06)
- Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Hanno Böck (Apr 06)