CVE-2025-62228

Severity CVSS v4.0:

MEDIUM

Type:

CWE-89 SQL Injection

Publication date:

09/10/2025

Last modified:

09/10/2025

Description

Apache Flink CDC version 3.4.0 was vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, we recommend users update Flink CDC version to 3.5.0 which address this issue.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/R:U/V:C/RE:L/U:Amber CVSS v4.0 Severity and Metrics:

Base Score: 5.10 MEDIUM
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/R:U/V:C/RE:L/U:Amber

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): High
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): Low
Availability (VA): Low
Confidentiality (SC): Low
Integrity (SI): Low
Availability (SA): Low
Recovery (R): User
Value Density (V): Concentrated
Vulnerability Response Effort (RE): Low
Provider Urgency (U): Amber

Base Score 4.0

5.10

Severity 4.0

MEDIUM

References to Advisories, Solutions, and Tools

https://lists.apache.org/thread/3dn0hc1wbc5sj0jbgdg33gtnwlw7qrl3