
We found results for “”
CVE-2025-30473
Good to know:


Date: April 7, 2025
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider before 1.24.1. When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user. This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have.
Severity Score
Related Resources (10)
Severity Score
Weakness Type (CWE)
Top Fix

Upgrade Version
Upgrade to version apache-airflow-providers-common-sql - 1.24.1;apache-airflow-providers-common-sql - 1.24.1;apache-airflow-providers-common-sql - 1.24.1;https://github.com/apache/airflow.git - providers-common-sql/1.24.1
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |