Volerion logoVolerion
Volerion logoVolerion

Apache Airflow MySQL Provider SQL Injection Vulnerability

Vulnerability

A SQL injection vulnerability has been identified in the Apache Airflow MySQL Provider, affecting versions prior to 6.2.0. This vulnerability arises from improper handling of table parameters in the 'dump_sql' and 'load_sql' functions. When a user triggers a Directed Acyclic Graph (DAG) using these functions, they can pass a table parameter through the user interface. This could lead to the execution of unintended SQL commands, potentially causing data corruption or unauthorized modification.

Impact

Exploitation of this vulnerability allows for SQL injection, which could lead to unauthorized data manipulation or corruption within the database.

Reproduction

To reproduce this vulnerability, trigger a DAG that uses the 'dump_sql' or 'load_sql' functions. Pass a table parameter from the user interface. The lack of proper validation allows for the injection of malicious SQL, which will be executed by the database, potentially leading to unauthorized data access or modification.

Remediation

Users are advised to upgrade to Apache Airflow MySQL Provider version 6.2.0 or later, which addresses this vulnerability.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
5.0
exploitability
5.2
remediation
7.7
relevance
0.0
threat
1.6
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.