oss-sec mailing list archives
[CVE-2020-9483] Apache SkyWalking SQL injection vulnerability
From: Sheng Wu <wusheng () apache org>
Date: Mon, 15 Jun 2020 15:45:55 +0800
[CVEID]:CVE-2020-9483 [PRODUCT]:Apache SkyWalking [VERSION]:Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 [PROBLEMTYPE]:SQL Injection [DESCRIPTION]: When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters. Sheng Wu 吴晟 Twitter, wusheng1108
Current thread:
- [CVE-2020-9483] Apache SkyWalking SQL injection vulnerability Sheng Wu (Jun 15)