SQL Injection Vulnerability in Apache SkyWalking with H2/MySQL/TiDB Storage
CVE-2020-13921

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Apache Skywalking
Vendor
CVE Published:
5 August 2020

Summary

A SQL injection vulnerability exists in Apache SkyWalking when using H2, MySQL, or TiDB as the storage option. This vulnerability arises specifically during wildcard query operations, which could allow an attacker to manipulate database queries, potentially exposing sensitive data or leading to unauthorized actions within the application. It's crucial for users relying on these database options to implement the necessary updates to ensure the integrity and security of their installations.

Affected Version(s)

Apache SkyWalking Apache SkyWalking 6.5.0, 6.6.0, 7.0.0, 8.0.0, 8.0.1

References

https://github.com/apache/skywalking/pull/4970
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2020/08/05/3
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r6f3a934ebc54585d846...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.