CVE-2020-9483

Name of the Vulnerable Software and Affected Versions Apache SkyWalking versions 6.0.0 through 6.6.0 Apache SkyWalking version 7.0.0

Description The issue is related to a SQL injection vulnerability when using H2, MySQL, or TiDB as storage for Apache SkyWalking. This vulnerability occurs during metadata queries through the GraphQL protocol, allowing access to unexpected data. The storage implementations for H2, MySQL, and TiDB in the affected versions do not properly set SQL parameters.

Recommendations For Apache SkyWalking versions 6.0.0 through 6.6.0, update to a version that uses the appropriate method to set SQL parameters. For Apache SkyWalking version 7.0.0, update to a version that uses the appropriate method to set SQL parameters. As a temporary workaround, consider restricting access to the GraphQL protocol for metadata queries until a patch is available.