SQL Injection Vulnerability in Apache SkyWalking by The Apache Software Foundation
CVE-2020-9483

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Skywalking
Vendor: CVE Published:; 30 June 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A SQL injection vulnerability exists in the Apache SkyWalking when utilizing H2, MySQL, or TiDB for storage. This flaw arises from incorrect handling of SQL parameters during metadata queries via the GraphQL protocol. Attackers can exploit this vulnerability to gain unauthorized access to sensitive data, potentially leading to data breaches and other security risks. It is crucial for users operating affected versions to apply security patches to mitigate this risk.

Affected Version(s)

Apache SkyWalking Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-9483
Created by Neko-chanQwQ

apache_skywalking
Created by shanika04

References

https://github.com/apache/skywalking/pull/4639

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 19, 2021
👾
Exploit known to exist
Jul 19, 2021
Vulnerability published
Jun 30, 2020
Vulnerability Reserved
Mar 1, 2020