Dagster
Monthly
SQL injection in Dagster orchestration platform allows authenticated users with 'Add Dynamic Partitions' permission to execute arbitrary SQL against DuckDB, Snowflake, BigQuery, and DeltaLake databases via crafted partition keys. Affected I/O managers interpolate dynamic partition values into WHERE clauses without sanitization, enabling attackers to read or modify data under the I/O manager's database credentials. Only deployments using dynamic partitions are vulnerable - static and time-window partitions are unaffected. Vendor-released patches are available (Dagster Core 1.13.1, libraries 0.29.1). No public exploit code identified at time of analysis, though exploitation is straightforward for authenticated users with the specific permission.
SQL injection in Dagster orchestration platform allows authenticated users with 'Add Dynamic Partitions' permission to execute arbitrary SQL against DuckDB, Snowflake, BigQuery, and DeltaLake databases via crafted partition keys. Affected I/O managers interpolate dynamic partition values into WHERE clauses without sanitization, enabling attackers to read or modify data under the I/O manager's database credentials. Only deployments using dynamic partitions are vulnerable - static and time-window partitions are unaffected. Vendor-released patches are available (Dagster Core 1.13.1, libraries 0.29.1). No public exploit code identified at time of analysis, though exploitation is straightforward for authenticated users with the specific permission.