CVE-2020-9483

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Skywalking
Vendor: CVE Published:; 30 June 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Resolved When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.

Affected Version(s)

Apache SkyWalking Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-9483
Created by Neko-chanQwQ

apache_skywalking
Created by shanika04

References

https://github.com/apache/skywalking/pull/4639

x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 19, 2021
👾
Exploit known to exist
Jul 19, 2021
Vulnerability published
Jun 30, 2020
Vulnerability Reserved
Mar 1, 2020