Vulnerability Details CVE-2020-9483
**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.924
EPSS Ranking 99.7%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2020-9483
-
cpe:2.3:a:apache:skywalking:6.0.0
-
cpe:2.3:a:apache:skywalking:6.1.0
-
cpe:2.3:a:apache:skywalking:6.2.0
-
cpe:2.3:a:apache:skywalking:6.3.0
-
cpe:2.3:a:apache:skywalking:6.4.0
-
cpe:2.3:a:apache:skywalking:6.5.0
-
cpe:2.3:a:apache:skywalking:6.6.0
-
cpe:2.3:a:apache:skywalking:7.0.0