Search criteria
10 vulnerabilities found for skywalking by apache
CVE-2026-30778 (GCVE-0-2026-30778)
Vulnerability from nvd – Published: 2026-04-15 10:54 – Updated: 2026-04-16 12:05
VLAI
Title
Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
Summary
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.
Users are recommended to upgrade to version 10.4.0, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache SkyWalking |
Affected:
9.7.0 , ≤ 10.3.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-15T11:25:13.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-30778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T12:00:29.322586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T12:05:25.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache SkyWalking",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.3.0",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "shuiboye@gmail.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\u003c/p\u003e\u003cp\u003eThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 10.4.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202 Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T10:54:25.212Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-30778",
"datePublished": "2026-04-15T10:54:25.212Z",
"dateReserved": "2026-03-05T01:06:13.446Z",
"dateUpdated": "2026-04-16T12:05:25.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54057 (GCVE-0-2025-54057)
Vulnerability from nvd – Published: 2025-11-27 11:47 – Updated: 2026-04-13 15:29
VLAI
Title
Apache SkyWalking: Stored XSS vulnerability
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.
This issue affects Apache SkyWalking: <= 10.2.0.
Users are recommended to upgrade to version 10.3.0, which fixes the issue.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache SkyWalking |
Affected:
0 , ≤ 10.2.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-13T15:29:56.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/27/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/13/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T16:37:24.756331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T16:38:32.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache SkyWalking",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Vinh Nguy\u1ec5n Quang (vinhnq4902@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.\u003c/p\u003e\u003cp\u003eThis issue affects Apache SkyWalking: \u0026lt;= 10.2.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 10.3.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.\n\nThis issue affects Apache SkyWalking: \u003c= 10.2.0.\n\nUsers are recommended to upgrade to version 10.3.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:02:02.249Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache SkyWalking: Stored XSS vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54057",
"datePublished": "2025-11-27T11:47:32.947Z",
"dateReserved": "2025-07-16T11:09:55.585Z",
"dateUpdated": "2026-04-13T15:29:56.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-36127 (GCVE-0-2022-36127)
Vulnerability from nvd – Published: 2022-07-18 11:30 – Updated: 2024-08-03 10:00
VLAI
Title
Service unavailability impact in NodeJS agent(version <= 0.5.0)
Summary
A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/x238wo4r5goy39dxd… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2022/07/18/1 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache SkyWalking NodeJS Agent |
Affected:
Apache SkyWalking NodeJS Agent , ≤ 0.5.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:01.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3"
},
{
"name": "[oss-security] 20220718 CVE-2022-36127: Apache SkyWalking NodeJS Agent: Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/18/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache SkyWalking NodeJS Agent",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.5.0",
"status": "affected",
"version": "Apache SkyWalking NodeJS Agent",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can\u0027t establish the connection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-18T14:06:14.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3"
},
{
"name": "[oss-security] 20220718 CVE-2022-36127: Apache SkyWalking NodeJS Agent: Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/18/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-36127",
"STATE": "PUBLIC",
"TITLE": "Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache SkyWalking NodeJS Agent",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache SkyWalking NodeJS Agent",
"version_value": "0.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can\u0027t establish the connection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3"
},
{
"name": "[oss-security] 20220718 CVE-2022-36127: Apache SkyWalking NodeJS Agent: Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/18/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-36127",
"datePublished": "2022-07-18T11:30:13.000Z",
"dateReserved": "2022-07-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T10:00:01.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13921 (GCVE-0-2020-13921)
Vulnerability from nvd – Published: 2020-08-05 13:25 – Updated: 2024-08-04 12:32
VLAI
Summary
**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/apache/skywalking/pull/4970 | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2020/08/05/3 | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r6f3a934ebc5… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache SkyWalking |
Affected:
Apache SkyWalking 6.5.0, 6.6.0, 7.0.0, 8.0.0, 8.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apache/skywalking/pull/4970"
},
{
"name": "[oss-security] 20200805 [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/05/3"
},
{
"name": "[skywalking-dev] 20200805 Subject: [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6%40%3Cdev.skywalking.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache SkyWalking",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache SkyWalking 6.5.0, 6.6.0, 7.0.0, 8.0.0, 8.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-05T14:06:35.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apache/skywalking/pull/4970"
},
{
"name": "[oss-security] 20200805 [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/05/3"
},
{
"name": "[skywalking-dev] 20200805 Subject: [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6%40%3Cdev.skywalking.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13921",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache SkyWalking",
"version": {
"version_data": [
{
"version_value": "Apache SkyWalking 6.5.0, 6.6.0, 7.0.0, 8.0.0, 8.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/apache/skywalking/pull/4970",
"refsource": "MISC",
"url": "https://github.com/apache/skywalking/pull/4970"
},
{
"name": "[oss-security] 20200805 [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/08/05/3"
},
{
"name": "[skywalking-dev] 20200805 Subject: [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6@%3Cdev.skywalking.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13921",
"datePublished": "2020-08-05T13:25:14.000Z",
"dateReserved": "2020-06-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:32:14.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9483 (GCVE-0-2020-9483)
Vulnerability from nvd – Published: 2020-06-30 14:28 – Updated: 2024-08-04 10:26
VLAI
Summary
**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/apache/skywalking/pull/4639 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache SkyWalking |
Affected:
Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.219Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apache/skywalking/pull/4639"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache SkyWalking",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don\u0027t use the appropriate way to set SQL parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T14:28:35.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apache/skywalking/pull/4639"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-9483",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache SkyWalking",
"version": {
"version_data": [
{
"version_value": "Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don\u0027t use the appropriate way to set SQL parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/apache/skywalking/pull/4639",
"refsource": "MISC",
"url": "https://github.com/apache/skywalking/pull/4639"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-9483",
"datePublished": "2020-06-30T14:28:35.000Z",
"dateReserved": "2020-03-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:26:16.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-30778 (GCVE-0-2026-30778)
Vulnerability from cvelistv5 – Published: 2026-04-15 10:54 – Updated: 2026-04-16 12:05
VLAI
Title
Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
Summary
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.
Users are recommended to upgrade to version 10.4.0, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache SkyWalking |
Affected:
9.7.0 , ≤ 10.3.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-15T11:25:13.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-30778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T12:00:29.322586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T12:05:25.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache SkyWalking",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.3.0",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "shuiboye@gmail.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\u003c/p\u003e\u003cp\u003eThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 10.4.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202 Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T10:54:25.212Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-30778",
"datePublished": "2026-04-15T10:54:25.212Z",
"dateReserved": "2026-03-05T01:06:13.446Z",
"dateUpdated": "2026-04-16T12:05:25.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54057 (GCVE-0-2025-54057)
Vulnerability from cvelistv5 – Published: 2025-11-27 11:47 – Updated: 2026-04-13 15:29
VLAI
Title
Apache SkyWalking: Stored XSS vulnerability
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.
This issue affects Apache SkyWalking: <= 10.2.0.
Users are recommended to upgrade to version 10.3.0, which fixes the issue.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache SkyWalking |
Affected:
0 , ≤ 10.2.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-13T15:29:56.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/27/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/13/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T16:37:24.756331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T16:38:32.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache SkyWalking",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Vinh Nguy\u1ec5n Quang (vinhnq4902@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.\u003c/p\u003e\u003cp\u003eThis issue affects Apache SkyWalking: \u0026lt;= 10.2.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 10.3.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.\n\nThis issue affects Apache SkyWalking: \u003c= 10.2.0.\n\nUsers are recommended to upgrade to version 10.3.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:02:02.249Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache SkyWalking: Stored XSS vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54057",
"datePublished": "2025-11-27T11:47:32.947Z",
"dateReserved": "2025-07-16T11:09:55.585Z",
"dateUpdated": "2026-04-13T15:29:56.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-36127 (GCVE-0-2022-36127)
Vulnerability from cvelistv5 – Published: 2022-07-18 11:30 – Updated: 2024-08-03 10:00
VLAI
Title
Service unavailability impact in NodeJS agent(version <= 0.5.0)
Summary
A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/x238wo4r5goy39dxd… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2022/07/18/1 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache SkyWalking NodeJS Agent |
Affected:
Apache SkyWalking NodeJS Agent , ≤ 0.5.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:01.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3"
},
{
"name": "[oss-security] 20220718 CVE-2022-36127: Apache SkyWalking NodeJS Agent: Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/18/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache SkyWalking NodeJS Agent",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.5.0",
"status": "affected",
"version": "Apache SkyWalking NodeJS Agent",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can\u0027t establish the connection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-18T14:06:14.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3"
},
{
"name": "[oss-security] 20220718 CVE-2022-36127: Apache SkyWalking NodeJS Agent: Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/18/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-36127",
"STATE": "PUBLIC",
"TITLE": "Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache SkyWalking NodeJS Agent",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache SkyWalking NodeJS Agent",
"version_value": "0.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can\u0027t establish the connection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3"
},
{
"name": "[oss-security] 20220718 CVE-2022-36127: Apache SkyWalking NodeJS Agent: Service unavailability impact in NodeJS agent(version \u003c= 0.5.0)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/18/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-36127",
"datePublished": "2022-07-18T11:30:13.000Z",
"dateReserved": "2022-07-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T10:00:01.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13921 (GCVE-0-2020-13921)
Vulnerability from cvelistv5 – Published: 2020-08-05 13:25 – Updated: 2024-08-04 12:32
VLAI
Summary
**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/apache/skywalking/pull/4970 | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2020/08/05/3 | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r6f3a934ebc5… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache SkyWalking |
Affected:
Apache SkyWalking 6.5.0, 6.6.0, 7.0.0, 8.0.0, 8.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apache/skywalking/pull/4970"
},
{
"name": "[oss-security] 20200805 [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/05/3"
},
{
"name": "[skywalking-dev] 20200805 Subject: [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6%40%3Cdev.skywalking.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache SkyWalking",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache SkyWalking 6.5.0, 6.6.0, 7.0.0, 8.0.0, 8.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-05T14:06:35.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apache/skywalking/pull/4970"
},
{
"name": "[oss-security] 20200805 [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/05/3"
},
{
"name": "[skywalking-dev] 20200805 Subject: [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6%40%3Cdev.skywalking.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13921",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache SkyWalking",
"version": {
"version_data": [
{
"version_value": "Apache SkyWalking 6.5.0, 6.6.0, 7.0.0, 8.0.0, 8.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/apache/skywalking/pull/4970",
"refsource": "MISC",
"url": "https://github.com/apache/skywalking/pull/4970"
},
{
"name": "[oss-security] 20200805 [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/08/05/3"
},
{
"name": "[skywalking-dev] 20200805 Subject: [CVE-2020-13921] Apache SkyWalking SQL injection vulnerability after H2/MySQL/TiDB storage option activated.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6@%3Cdev.skywalking.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13921",
"datePublished": "2020-08-05T13:25:14.000Z",
"dateReserved": "2020-06-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:32:14.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9483 (GCVE-0-2020-9483)
Vulnerability from cvelistv5 – Published: 2020-06-30 14:28 – Updated: 2024-08-04 10:26
VLAI
Summary
**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/apache/skywalking/pull/4639 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache SkyWalking |
Affected:
Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.219Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apache/skywalking/pull/4639"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache SkyWalking",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don\u0027t use the appropriate way to set SQL parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T14:28:35.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apache/skywalking/pull/4639"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-9483",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache SkyWalking",
"version": {
"version_data": [
{
"version_value": "Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don\u0027t use the appropriate way to set SQL parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/apache/skywalking/pull/4639",
"refsource": "MISC",
"url": "https://github.com/apache/skywalking/pull/4639"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-9483",
"datePublished": "2020-06-30T14:28:35.000Z",
"dateReserved": "2020-03-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:26:16.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}