oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2020-9483] Apache SkyWalking SQL injection vulnerability

From: Sheng Wu <wusheng () apache org>
Date: Mon, 15 Jun 2020 15:45:55 +0800
[CVEID]:CVE-2020-9483
[PRODUCT]:Apache SkyWalking
[VERSION]:Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0
[PROBLEMTYPE]:SQL Injection
[DESCRIPTION]: When use H2/MySQL/TiDB as Apache SkyWalking storage, the
metadata query through GraphQL protocol, there is a SQL injection
vulnerability,
               which allows to access unpexcted data. Apache SkyWalking
6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the
appropriate
               way to set SQL parameters.

Sheng Wu 吴晟
Twitter, wusheng1108
Previous By Date Next
Previous By Thread Next

Current thread: