CVE-2020-9483

Опубликовано: 30 июн. 2020

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Критический

Описание

Resolved When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.

Ссылки

https://github.com/apache/skywalking/pull/4639
Third Party Advisory
https://github.com/apache/skywalking/pull/4639
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:skywalking:*:*:*:*:*:*:*:*

Версия от 6.0.0 (включая) до 6.6.0 (включая)

cpe:2.3:a:apache:skywalking:7.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.93816

Критический

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-p9p3-c9pg-xjrh

github

больше 3 лет назад

**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.