SkyWalking 漏洞列表
共找到 5 个与 SkyWalking 相关的漏洞
📅 加载漏洞趋势中...
-
CVE-2020-13921: SkyWalking SQL Injection POC
SkyWalking SQL Injection fofa: app="APACHE-Skywalking" -
CVE-2020-9483: SkyWalking SQLI POC
When using H2/MySQL/TiDB as Apache SkyWalking storage and a metadata query through GraphQL protocol, there is a SQL injection vulnerability which allows access to unexpected data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters. -
CVE-2020-9483: SkyWalking SQLI POC
When using H2/MySQL/TiDB as Apache SkyWalking storage and a metadata query through GraphQL protocol, there is a SQL injection vulnerability which allows access to unexpected data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters. -
Apache SkyWalking基于log4J组件的远程命令执行漏洞 无POC
Apache SkyWalking基于log4J组件的远程命令执行漏洞。 -
Apache Skywalking 8.3.0 SQL注入漏洞 无POC
Skywalking历史上存在两次sql注入漏洞,CVE-2020-9483、CVE-2020-13921。经过源码分析,发现两次sql注入漏洞修复并不完善,仍存在一处sql注入漏洞。(该请求无页面入口,需要根据graphql配置文件手动进行请求构造,或许这就是官方遗漏该注入点的原因)Skywalking默认配置下使用的数据库为h2,且使用sa权限启动。于是我们可以先利用任意文件写入函数在classpath中写一个恶意类,然后再使用LINK_SCHEMA函数来加载这个恶意类,实现远程代码执行。