Lucene search

[email protected]CVE-2020-9483

HistoryJun 30, 2020 - 3:15 p.m.

CVE-2020-9483

2020-06-3015:15:00

CWE-89

[email protected]

web.nvd.nist.gov

cve-2020-9483

sql injection

apache skywalking

security vulnerability

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.9 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.043 Low

EPSS

Percentile

92.3%

JSON

Resolved When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don’t use the appropriate way to set SQL parameters.

CPENameOperatorVersion
apache:skywalkingapache skywalkingeq7.0.0
apache:skywalkingapache skywalkingle6.6.0

CPE	Name	Operator	Version
apache:skywalking	apache skywalking	eq	7.0.0
apache:skywalking	apache skywalking	le	6.6.0

References

github.com/apache/skywalking/pull/4639

Social References

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.9 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.043 Low

EPSS

Percentile

92.3%

JSON

Related for CVE-2020-9483

prion1 osv1 nuclei1 githubexploit2 veracode1 checkpoint_advisories1