-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.flink:flink-cdc-pipeline-connectors | maven | >= 3.0.0, < 3.5.0 | 3.5.0 |
| org.apache.flink:flink-connector-oracle-cdc | maven | >= 3.0.0, < 3.5.0 | 3.5.0 |
| org.apache.flink:flink-connector-db2-cdc | maven | >= 3.0.0, < 3.5.0 | 3.5.0 |
| org.apache.flink:flink-connector-sqlserver-cdc | maven | >= 3.0.0, < 3.5.0 | 3.5.0 |
| org.apache.flink:flink-connector-mysql-cdc | maven | >= 3.0.0, < 3.5.0 | 3.5.0 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the improper construction of SQL queries using un-sanitized user-provided identifiers such as database and table names. This allows for SQL injection attacks. The analysis of the provided patch (commit d5766187a9a4b191820e10238d4594ae665cdb89) shows that multiple methods in the org.apache.flink.cdc.connectors.oceanbase.catalog.OceanBaseMySQLCatalog class were vulnerable.
The vulnerable functions were using String.format to build SQL queries, embedding raw database and table names into the query string. This is a classic SQL injection vector. An attacker could provide a specially crafted identifier (e.g., mydb' OR '1'='1) to manipulate the query's logic or inject entirely new SQL commands.
The patch addresses these issues in two ways:
SELECT), the code was refactored to use PreparedStatement with parameter markers (?). This is the standard and recommended way to prevent SQL injection.CREATE TABLE, DROP TABLE), where parameter markers often cannot be used for identifiers, a new quote function was introduced. This function properly escapes the identifiers by wrapping them in backticks and escaping any existing backticks within the identifier itself, which is the correct way to handle identifiers in MySQL-compatible databases like OceanBase.While the vulnerability advisory mentions several Flink CDC connectors (Oracle, DB2, SQL Server, MySQL), the provided patch only contains fixes for the oceanbase connector. It is highly likely that similar vulnerable code patterns exist in the other connectors, and security engineers should investigate those as well, even though this specific commit does not patch them.
A Semantic Attack on Google Gemini - Read the Latest Research