SQL Injection Affecting org.apache.flink:flink-connector-db2-cdc package, versions [3.0.0,3.5.0)

Q: How to fix?

Upgrade org.apache.flink:flink-connector-db2-cdc to version 3.5.0 or higher.

Threat Intelligence

0.04% (10^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JAVA-ORGAPACHEFLINK-13539422
published13 Oct 2025
disclosed9 Oct 2025
creditintSheep, Mapta/BugBunny_ai

Report a new vulnerability Found a mistake?

Introduced: 9 Oct 2025

NewCVE-2025-62228 (opens in a new tab) CWE-89 (opens in a new tab)

How to fix?

Upgrade org.apache.flink:flink-connector-db2-cdc to version 3.5.0 or higher.

Overview

Affected versions of this package are vulnerable to SQL Injection via the quote() function that fails to properly escape special characters. An attacker can execute arbitrary SQL commands by supplying specially crafted input values for database name or table names.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None
Recovery (R)
Unreliable
Value Density (V)
Concentrated
Vulnerability Response Effort (RE)
Low
Provider Urgency (U)
Amber

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
Low

Confidentiality (SC)
Low
Integrity (SI)
Low
Availability (SA)
Low